This is a static dump of issues in the old "Flyspray" bugtracker for DokuWiki. Bugs and feature requests
are now tracked at the issue tracker at Github.
FS#906 dwpage.php Remote Code Execution Exploit
Some blackhat hacker discovered a serious security issue in DokuWiki and released an exploit without informing the DokuWiki devlopers. The expoit has already been seen used in the wild attacking several DokuWiki installs.
The hacker exploited the dwpage.sh script located in the bin directory which is intended to be used as shell script to automate Dokuwiki page modifications. The bin directory was not protected and beeing accessable from the web.
Who is vulnerable:
All DokuWiki installations with a unprotected bin directory accessable through the web. PHP needs to have the register_argc_argv option enabled (is on by default).
Exploited wikis currently have a changlog entry named 'wiki:suntzu "suntzu" _admin_' but this may change of course.
One part of the exploit replaces some wiki configurations, you may no longer be able to log into your wiki after being attacked.
Either delete the whole bin directory or move it outside the webserver root. Or add a .htaccess with the following contents to the bin directory:
deny from all
An updated package will be shortly available.
Recover from an Attack:
An attacker might have placed any code on your server where the webserver has write access. For DokuWiki it is recommended to secure your page data and reinstall a clean DokuWiki.
Dokuwiki on Windows/IIS - I presume the alternative to .htaccess is to restrict Windows permissions on the bin folder. What in Dokuwiki will not work if the bin folder has access denied to all?
If you don't know what the files in the bin folder are good for, you probably never used the files in it and can safely delete the whole folder. The bin folder contains scripts to be run on a commandline to automate certain tasks in DokuWiki.
Development version patched to add a sapi check at the start of each of the scripts in the lib/bin directory and have the script abort if the script isn't being run using the 'cli' sapi - ie, the scripts will abort immediately if run by the webserver.