DokuWiki remote PHP code injection

Monday, June 5. 2006

While searching for the perfect Wiki PHP application for my own german/korean wiki I tested DokuWiki and found an ugly security hole, that allows remote PHP code injection through it's AJAX spellchecking service.

You can grab my advisory at the usual place.

Posted by Stefan Esser in PHP, Security at 14:29

Comments (3)

Link to this post

Comments

Display comments as (Linear | Threaded)

#1 Aaron Wormus wrote (Link) ()

IMO Dukuwiki is the best damn wiki out there

would be interested in if you found anything better.

posted on Monday, June 5. 2006

#1.1 Norbert wrote (Link) ()

I agree. Please let us know if you found a more professional wiki software. Until then, Dokuwiki beats everything

Thanks for the advisory.

posted on Tuesday, June 6. 2006

#1.2 Cyril wrote (Link) ()

Dokuwiki is probably the best PHP wiki.
But the best wiki overall is imho Confluence, written by an australian company called Atlassian. It's pretty expensive as it's aimed at businesses but look it up and give it a go. You can get a personal license (2 users max I think) and they support open source projects giving away licenses too. Its feature set is great (the integration with JIRA, their bug-tracking app is really handy) and it's got tons of plugins.
My company is currently in the process of switching from Dokuwiki (which is great for a small project) to Confluence.

Thanks again Stefan for your efforts and expertise.

posted on Wednesday, June 7. 2006

Add Comment

Name:

Email:

Homepage:

In reply to:

Comment:

Standard emoticons like :-) and ;-) are converted to images.

Remember Information?
Subscribe to this entry

Calendar