A security hole was discovered which allows an attacker to include arbitrary files located on the attacked DokuWiki installation. The included file is executed in the PHP context. This can be escalated by introducing malicious code through uploading file via the media manager or placing PHP code in editable pages.
However the attack is only possible when the PHP option register_globals is enabled. This option is disabled by default since several years and its usage is generally discouraged. This should hopefully limit the effect of an exploit that has been seen in the wild already.
Affected versions are 2009-02-14, rc2009-02-06, rc2009-01-30 and all development releases until today.
To secure your installation, make sure you disable the register_global option in your php.ini (DokuWiki will work fine without it).
An updated stable release named 2009-02-14b is available at
http://www.splitbrain.org/go/dokuwiki
If you'd like to fix the issue manually, please follow these steps:
Open inc/init.php in an editor
Remove the following line (line 45):
global $config_cascade;
And add the following two line in line 13
global $config_cascade;
$config_cascade = '';
Should be right before the following:
// if available load a preload config file
$preload = fullpath(dirname(__FILE__)).'/preload.php';
if (@file_exists($preload)) include($preload);