CVE-2009-1960

Description

inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the config_cascade[main][default][] parameter to doku.php. NOTE: PHP remote file inclusion is also possible in PHP 5 using ftp:// URLs.

How to fix CVE-2009-1960

To remediate CVE-2009-1960, upgrade the affected package to a fixed version below.

• Debian/dokuwiki—upgrade to 0.0.20090214b-1 or later

Is CVE-2009-1960 being exploited?

Moderate — EPSS is 35.8%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

• from 0, < 0.0.20090214b-1

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2009-1960