DokuWiki

IMPORTANT!

This is the old issue tracking system for DokuWiki. Issues can not be added here anymore. Pleaser refer to https://github.com/splitbrain/dokuwiki/issues for the new system.

IMPORTANT!
Tasklist

FS#2136 - Security Release 2010-11-07a

Attached to Project: DokuWiki
Opened by Andreas Gohr (andi) - Sunday, 16 January 2011, 18:15 GMT
Last edited by Adrian Lang (adrianlang) - Saturday, 05 February 2011, 10:35 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To No-one
Operating System All
Severity Low
Priority Normal
Reported Version none
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

We just released a Security Fix for Anteater

This security update fixes problems in the XMLRPC interface where ACLs where not checked correctly sometimes, making it possible to access and write information that should not have been accessible/writable. This only affects users who have enabled the XMLRPC interface (default is off) and have enabled XMLRPC access for users who can't access/write all content anyway (default is nobody, see http://www.dokuwiki.org/config:xmlrpcuser for details).

This update also includes a fix for a problem in the general ACL checking function that could be exploited to gain access to restricted pages and media files in rare conditions (when you had rights for an id you could get the same rights on ids where one character has been replaced by a ".").

An updated package is available at usual download place.

If you want to manually update, replace

lib/exe/xmlrpc.php with https://github.com/splitbrain/dokuwiki/raw/stable/lib/exe/xmlrpc.php
inc/auth.php with https://github.com/splitbrain/dokuwiki/raw/stable/inc/auth.php

And increase the $updateVersion variable in doku.php to 30.
This task depends upon

Closed by  Adrian Lang (adrianlang)
Saturday, 05 February 2011, 10:35 GMT
Reason for closing:  None
Comment by Phil Simpson (jikbag) - Tuesday, 18 January 2011, 00:04 GMT
My $updateVersion is already at 30 and I'm still getting the warning message. Did you mean to write 31?
Comment by Phil Simpson (jikbag) - Tuesday, 18 January 2011, 00:05 GMT
Nevermind. Please disregard my last comment.
Comment by Nathan Moore (beefstew) - Thursday, 10 February 2011, 14:15 GMT
I'm not confident that SSL is configured properly on my machine, but when I grab the file with wget, I see the following error.

# wget https://github.com/splitbrain/dokuwiki/raw/stable/lib/exe/xmlrpc.php
--2011-02-10 08:10:52-- https://github.com/splitbrain/dokuwiki/raw/stable/lib/exe/xmlrpc.php
Resolving github.com... 207.97.227.239
Connecting to github.com|207.97.227.239|:443... connected.
ERROR: certificate common name `*.github.com' doesn't match requested host name `github.com'.
To connect to github.com insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
Comment by Stefan Schweiger (nuki) - Wednesday, 27 April 2011, 12:51 GMT
After doing the manuel update method, my dokuwiki does not work anymore.
The error.log of my apache2 tells me:

[Wed Apr 27 14:37:36 2011] [error] [client xxx.xxx.xxx.xxx] PHP Fatal error: Class 'PassHash' not found in /var/www/dokuwiki/inc/auth.php on line 959
Comment by Tony Baltazar (alpha01) - Saturday, 04 June 2011, 17:18 GMT
Stefan, I got the exact same error when manually upgrading my DokuWiki installation (“Anteater”).

I'm was surprised that I wasn't able to find any documentation about this, since apparently it looks like a bug was introduced.
The problem lies on PHP not being able to find a PassHash Class.

I made a recursive grep search and indeed the class PassHash was completely missing in action.
Here is what I did to fix this:
I manually created the PassHass class in inc/PassHash.class.php with http://xref.dokuwiki.org/reference/dokuwiki/inc/PassHash.class.php.source.txt and updated inc/auth.php to also require the PassHash.class.php class in the auth_setup() function.

require_once(DOKU_INC.'inc/PassHash.class.php');



Then you'll need to reset your password using the DokuWiki forget password feature.
I hope this helps.
-Tony


Comment by Stefan Schweiger (nuki) - Wednesday, 08 June 2011, 07:56 GMT
Hi Tony,

thanks for your help. It worked perfectly :-)

kind regards
Stefan

Loading...