PT-2012-52: Open Redirect in DokuWiki Vulnerable softwareDokuWiki Version: 2012-10-13 "Adora Belle" and earlierApplication link: http://www.splitbrain.org/projects/dokuwikiSeverity levelSeverity level: Medium Impact: Open Redirect Access Vector: Remote CVSS v2: Base Score: 5.0 Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)CVE: not assigned Software descriptionDokuWiki is a simple to use Wiki aimed at the documentation needs of a small company. It works on plain text files and thus needs no database.Vulnerability descriptionPositive Research Center experts have discovered an open redirect issue in /lib/exe/fetch.php. A legitimate query looks like as follows:/lib/exe/fetch.php?media=http://i.imgur.com/IX1g8.jpg&hash=4fae2bThe "hash" parameter is meant to protect the web application from open redirect and is calculated as follows:substr(md5(auth_cookiesalt().$media),0,6)The value of auth_cookiesalt() cannot be accessed, however the "hash" parameter and first 6 characters of the resulting MD5 are incorrectly compared:if(substr(md5(auth_cookiesalt().$media),0,6) != $_REQUEST['hash']){ return array( 412, 'Precondition Failed'); }Consider the case when an attacker consecutively sends requests like this:/lib/exe/fetch.php?media=http://evilhost.com/?1&hash=0 /lib/exe/fetch.php?media=http://evilhost.com/?2&hash=0 ... /lib/exe/fetch.php?media=http://evilhost.com/?100&hash=0 ...Within a few thousand requests the first 6 characters of MD5 (e.g. 0e1234, 0e1337) will match 0 and, thus, the protection will be bypassed.How to fixUpdate your software up to the latest version.Advisory status 22.10.2012 - Vendor gets vulnerability details 06.03.2013 - Vendor releases fixed version and details 19.03.2013 - Public disclosureCreditsThe vulnerability was discovered by Arseniy Reutov, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2012-52 Reports on the vulnerabilities previously discovered by Positive Research:http://ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/