CVE-2006-2878

Description

The spellchecker (spellcheck.php) in DokuWiki 2006/06/04 and earlier allows remote attackers to insert and execute arbitrary PHP code via "complex curly syntax" that is inserted into a regular expression that is processed by preg_replace with the /e (executable) modifier.

Affected products

• andreas_gohr / dokuwikirelease_2006-06-04
• andreas_gohr / dokuwikirelease_2004-07-04 – release_2004-07-04
• andreas_gohr / dokuwikirelease_2004-07-07 – release_2004-07-07
• andreas_gohr / dokuwikirelease_2004-07-12 – release_2004-07-12
• andreas_gohr / dokuwikirelease_2004-07-21 – release_2004-07-21
• andreas_gohr / dokuwikirelease_2004-07-25 – release_2004-07-25
• andreas_gohr / dokuwikirelease_2004-08-08 – release_2004-08-08
• andreas_gohr / dokuwikirelease_2004-08-15a – release_2004-08-15a
• andreas_gohr / dokuwikirelease_2004-08-22 – release_2004-08-22
• andreas_gohr / dokuwikirelease_2004-09-12 – release_2004-09-12
• andreas_gohr / dokuwikirelease_2004-09-25 – release_2004-09-25
• andreas_gohr / dokuwikirelease_2004-09-30 – release_2004-09-30
• andreas_gohr / dokuwikirelease_2004-10-19 – release_2004-10-19
• andreas_gohr / dokuwikirelease_2004-11-01 – release_2004-11-01
• andreas_gohr / dokuwikirelease_2004-11-02 – release_2004-11-02
• andreas_gohr / dokuwikirelease_2004-11-10 – release_2004-11-10
• andreas_gohr / dokuwikirelease_2005-01-14 – release_2005-01-14
• andreas_gohr / dokuwikirelease_2005-01-15 – release_2005-01-15
• andreas_gohr / dokuwikirelease_2005-01-16a – release_2005-01-16a
• andreas_gohr / dokuwikirelease_2005-02-06 – release_2005-02-06
• andreas_gohr / dokuwikirelease_2005-02-18 – release_2005-02-18
• andreas_gohr / dokuwikirelease_2005-05-07 – release_2005-05-07
• andreas_gohr / dokuwikirelease_2005-07-01 – release_2005-07-01
• andreas_gohr / dokuwikirelease_2005-07-13 – release_2005-07-13
• andreas_gohr / dokuwikirelease_2005-09-19 – release_2005-09-19
• andreas_gohr / dokuwikirelease_2005-09-22 – release_2005-09-22
• andreas_gohr / dokuwikirelease_2006-03-05 – release_2006-03-05

References

• MISChttp://bugs.splitbrain.org/index.php?do=details&id=823
• MISChttp://www.securityfocus.com/bid/18289
• MISChttp://www.securityfocus.com/archive/1/435989/100/0/threaded
• MISChttp://securitytracker.com/id?1016221
• MISChttp://www.osvdb.org/25980
• VENDOR_ADVISORYhttp://secunia.com/advisories/20429
• MAILING_LISThttp://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046602.html
• VENDOR_ADVISORYhttp://secunia.com/advisories/20669
• VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2006/2142
• MISChttp://www.hardened-php.net/advisory_042006.119.html
• MISChttps://exchange.xforce.ibmcloud.com/vulnerabilities/26913
• MISChttp://www.gentoo.org/security/en/glsa/glsa-200606-16.xml