9.3
CVE-2009-1960
- EPSS 23.16%
- Veröffentlicht 08.06.2009 01:00:00
- Zuletzt bearbeitet 16.06.2026 23:08:27
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the config_cascade[main][default][] parameter to doku.php. NOTE: PHP remote file inclusion is also possible in PHP 5 using ftp:// URLs.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 23.16% | 0.975 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.3 | 8.6 | 10 |
AV:N/AC:M/Au:N/C:C/I:C/A:C
|
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
http://bugs.splitbrain.org/index.php?do=details&task_id=1700
http://dev.splitbrain.org/darcsweb/darcsweb.cgi?r=dokuwiki%3Ba=commitdiff%3Bh=20090526145030-7ad00-c0483e021f47898c8597f3bfbdd26c637f891d86.gz
http://secunia.com/advisories/35218
http://www.securityfocus.com/bid/35095
https://www.exploit-db.com/exploits/8781
https://www.exploit-db.com/exploits/8812