Advisories ยป MGASA-2014-0438

Updated dokuwiki packages fix security vulnerabilities

Publication date: 31 Oct 2014
Modification date: 31 Oct 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-8761 , CVE-2014-8762 , CVE-2014-8763 , CVE-2014-8764

Description

inc/template.php in DokuWiki before 2014-05-05a only checks for access to the
root namespace, which allows remote attackers to access arbitrary images via a
media file details ajax call (CVE-2014-8761).

The ajax_mediadiff function in DokuWiki before 2014-05-05a allows remote
attackers to access arbitrary images via a crafted namespace in the ns
parameter (CVE-2014-8762).

DokuWiki before 2014-05-05b, when using Active Directory for LDAP
authentication, allows remote attackers to bypass authentication via a
password starting with a null (\0) character and a valid user name, which
triggers an unauthenticated bind (CVE-2014-8763).

DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP
authentication, allows remote attackers to bypass authentication via a user
name and password starting with a null (\0) character, which triggers an
anonymous bind (CVE-2014-8764).
                

References

SRPMS

4/core

3/core