Vulnerability Type: Arbitrary command execution GLSA ID: 200609-10 Package: www-apps/dokuwiki Affected Versions: =20060309d Release Date: September 14, 2006 Severity: High Exploitability: Remote Description: The vulnerability arises from DokuWiki's failure to sanitize the X-FORWARDED-FOR HTTP header, allowing injection of arbitrary contents like PHP commands. The "bin" directory scripts are also susceptible to directory traversal attacks. Impact: A remote attacker could execute arbitrary PHP commands, potentially leading to system compromise, with the privileges of the user running the DokuWiki process. Workaround: Disable remote access to the "bin" subdirectory of the DokuWiki installation. If the scripts are not in use, remove the directory. Resolution: Upgrade to the latest version of DokuWiki. References: CVE-2006-4673, CVE-2006-4675, CVE-2006-4679