Hi, my name is Bogdan Calin, I work for Acunetix.
I would like to report a security vulnerability in dokuwiki that appears in certain server configurations.
An attacker can create a new page named "test.php" by visiting the URL: http://bld02/dokuwiki-2009-12-25/doku.php?id=test.php
He can edit this page and enter the following text: <?php phpinfo(); ?>
A file named "test.php.meta" is created in the directory ./data/meta/
Apache will threat files named filename.php.something as php files and execute them.
Therefore, on certain servers, if you visit the URL http://bld02/dokuwiki-2009-12-25/data/meta/test.php.meta
you can see the results of phpinfo().
The data directory is normally protected by Apache's .htaccess configuration file and normally not directly accessible.
However, if your application is running on an Apache web server configured with AllowOverride None, the .htaccess file will be ignored and an attacker can execute arbitrary PHP code. Also, if the adminstrator has changed the name of .htaccess file.
I've found a few vulnerable installations in a few minutes so this is not a theoretical problem.
One workaround would be to not allow creation of pages named something.phpanything (.php, .php3, .php4., ...) or to translate "." to another character when creating the filename. However, I'm not very familiar with dokuwiki internals so you will probably find a better solution.
You can contact me at bogdan [at] acunetix.com
Please let me know if you plan to fix this issue.
Also, please contact me if you don't plan to fix it.
Thanks in advance,