« Building a Pagination System with AJAX | Main | iRows.com Delivers Online Web Spreadsheets for Salesforce.com's AppExchange »

DokuWiki remote PHP code injection

Stefan Esser has found a critical security issue in DocuWiki. The bug allows remote PHP code injection through its AJAX spellchecking service. It is due to /e modifier of preg_replace() that handles links that are embedded in the text and translates them in an unsafe way. Stefan has posted an advisory with details about the bug and a recommendation to upgrade.

wiki%20dokuwiki.png
While searching for the perfect Wiki PHP application for my own german/korean wiki, I tested DokuWiki and found an ugly security hole that allows remote PHP code injection through it's AJAX spellchecking service.

Posted by Hatem on June 5, 2006 11:27 PM to AJAX Security |

Bookmark this article at these sites
Comments
1

a little mistake
"DocuWiki" should be DokuWiki,is it?

Posted by RainChen | September 30, 2006 6:05 AM | Reply

Post a comment





(Email will remain hidden)





Please enter the security code you see here




Related entries
Email to a friend
Email this article to:


Your email address:


Message (optional):