CVE-2009-1960

Name of the Vulnerable Software and Affected Versions: DokuWiki versions 2009-02-14, rc2009-02-06, and rc2009-01-30

Description: The issue allows remote attackers to include and execute arbitrary local files. This can be achieved via the config cascade[main][default][] parameter to "doku.php". Additionally, PHP remote file inclusion is possible in PHP 5 using "ftp://" URLs.

Recommendations: For DokuWiki versions 2009-02-14, rc2009-02-06, and rc2009-01-30, consider disabling the register globals setting to prevent exploitation. As a temporary workaround, restrict access to the "doku.php" endpoint and avoid using the config cascade[main][default][] parameter until a patch is available.