This is the old issue tracking system for DokuWiki. Issues can not be added here anymore. Pleaser refer to for the new system.


FS#1847 - show outside directory

Attached to Project: DokuWiki
Opened by white (white_sheep) - Wednesday, 13 January 2010, 01:12 GMT
Last edited by Andreas Gohr (andi) - Wednesday, 13 January 2010, 17:53 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To No-one
Operating System All
Severity High
Priority Normal
Reported Version 2009-12-25 "Lemming"
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


i found this bug that show me outside directory.
A PoC is:


please fix asap

i will publish it after 30 days from now.

if you need more information contact me.


white_sheep - IHTeam Staff
This task depends upon

Closed by  Andreas Gohr (andi)
Wednesday, 13 January 2010, 17:53 GMT
Reason for closing:  Fixed
Additional comments about closing:  fixed in 2009-12-25b
Comment by Andreas Gohr (andi) - Wednesday, 13 January 2010, 17:50 GMT
The bug allows listing the names of arbitrary file on the webserver - not their contents. This could leak private information about wiki pages and server structure.

A hotfix named 2009-12-25b was released and can be downloaded at

If you want to manually fix the flaw, replace the ACL Manager plugin in lib/plugins/acl/ with the version available at and increase the number in conf/msg to 24.
Comment by Andreas Gohr (andi) - Friday, 15 January 2010, 09:32 GMT
Because of a typo in the administrator permission check this bug also affects editing the current ACL statements, allowing an attacker to introduce arbitrary ACL rules and thus gaining access to a closed Wiki. An exploit was seen in the wild and upgrading to the version mentioned or applying the manual fix above is highly recommended.
Comment by Andreas Gohr (andi) - Sunday, 17 January 2010, 10:51 GMT
Please also see  FS#1853