DokuWiki contains two related security flaws. The first allows users with valid accounts to access pages for which they do not have read permission. The second allows all users (including anonymous ones) to read the start page, even if they do not have read permission for it. These flaws apply to at least 2005-05-07 and 2005-07-01.
Steps to reproduce #1:
1. Log out of DokuWiki
2. Navigate to a DokuWiki page for which you do not have read permission
3. When the "Permission Denied" screen appears, click "Login"
4. Log in to the wiki.
The contents of the protected page will now be displayed. However, navigating to the page without re-sending authentication credentials (for example, by clicking on the page name in the breadcrumb trace) will cause the "Permission Denied" message to be displayed as it should.
Steps to reproduce #2:
1. Enter an empty search string in the Search box.
The problem in both cases in how permissions checking is done in act_dispatch(). The "login" action only requires AUTH_NONE permission, but act_auth() can promote "login" to "show" *after* act_permcheck() is called. Similarly, the block labeled "check if searchword was given - else just show" can promote an AUTH_NONE action to AUTH_READ.
The fix would be to move both the "login stuff" and "check if searchword was given" blocks before the "check permissions" block, except for one problem: that would disable the AUTH_ADMIN check for the "register" action in the case that open registration is disabled. Therefore act_auth() needs to be split into two functions: one which runs before act_permcheck() and handles "login" and "logout", and another which runs after act_permcheck() and handles "register". With this fix, actions which need only AUTH_NONE privilege, but can promote actions to higher privilege levels, run before act_permcheck(), and those which require higher privileges but cannot promote actions run after act_permcheck().
I have attached a patch which implements these changes.