A full path disclosure flaw was found in the way DokuWiki, a standards compliant, simple to use Wiki, performed sanitization of HTTP POST 'prefix' input value prior passing it to underlying PHP substr() routine, when the PHP error level has been enabled on the particular server. A remote attacker could use this flaw to obtain full path location of particular requested DokuWiki page by issuing a specially-crafted HTTP POST request.
This issue affects the versions of the dokuwiki package, as shipped with Fedora release of 16 and 17. Please schedule an update (once final upstream patch available).
This issue affects the versions of the dokuwiki package, as shipped with Fedora EPEL 5 and 6. Please schedule an update (once final upstream patch available).
Created dokuwiki tracking bugs for this issue
Affects: fedora-all [bug 835149]
Affects: epel-all [bug 835150]