PT-2012-52: Open Redirect in DokuWiki

Vulnerable software

Version: 2012-10-13 "Adora Belle" and earlier

Application link:

Severity level

Severity level: Medium
Impact: Open Redirect
Access Vector: Remote

CVSS v2:
Base Score: 5.0
Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVE: not assigned

Software description

DokuWiki is a simple to use Wiki aimed at the documentation needs of a small company. It works on plain text files and thus needs no database.

Vulnerability description

Positive Research Center experts have discovered an open redirect issue in /lib/exe/fetch.php. A legitimate query looks like as follows:


The "hash" parameter is meant to protect the web application from open redirect and is calculated as follows:


The value of auth_cookiesalt() cannot be accessed, however the "hash" parameter and first 6 characters of the resulting MD5 are incorrectly compared:

if(substr(md5(auth_cookiesalt().$media),0,6) != $_REQUEST['hash']){
  return array( 412, 'Precondition Failed');

Consider the case when an attacker consecutively sends requests like this:


Within a few thousand requests the first 6 characters of MD5 (e.g. 0e1234, 0e1337) will match 0 and, thus, the protection will be bypassed.

How to fix

Update your software up to the latest version.

Advisory status

22.10.2012 - Vendor gets vulnerability details
06.03.2013 - Vendor releases fixed version and details
19.03.2013 - Public disclosure


The vulnerability was discovered by Arseniy Reutov, Positive Research Center (Positive Technologies Company)


Reports on the vulnerabilities previously discovered by Positive Research: