A critical remote code execution vulnerability has been identified in the aelsantex runcommand plugin for DokuWiki. This flaw allows an unauthenticated attacker to execute arbitrary commands on the underlying server, potentially leading to a complete system compromise, data theft, and service disruption. Due to the ease of exploitation and the critical severity, immediate remediation is required.

The vulnerability exists within the lib/plugins/runcommand/postaction.php file of the aelsantex runcommand plugin. This script fails to properly validate and sanitize user-supplied input before passing it to a system command execution function. An unauthenticated attacker can send a specially crafted HTTP POST request to this endpoint, embedding malicious system commands which are then executed on the server with the privileges of the web server's user account.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the affected web server. Potential consequences include theft of sensitive data stored on the DokuWiki or the server itself, deployment of ransomware, destruction of data, and using the compromised server as a pivot point to attack other internal systems. This poses a significant risk to data confidentiality, integrity, and availability, and could result in severe reputational damage and financial loss.

Immediate Action:

• Immediately apply the security update provided by the vendor to upgrade the aelsantex runcommand plugin to the latest patched version on all DokuWiki instances.
• If the plugin is not essential for business operations, consider disabling or uninstalling it entirely as a primary mitigation step.

Proactive Monitoring:

• Review web server access logs for any suspicious POST requests to the /lib/plugins/runcommand/postaction.php URI.
• Monitor for any unusual processes being spawned by the web server user (e.g., www-data, apache).
• Scrutinize outbound network traffic from the DokuWiki server for unexpected connections, which could indicate a successful compromise.

Compensating Controls:

• If patching is not immediately feasible, use a Web Application Firewall (WAF) to create a virtual patch that blocks requests to the vulnerable postaction.php file.
• Implement web server access control rules (e.g., via .htaccess or Nginx configuration) to deny all external access to the /lib/plugins/runcommand/ directory.
• Ensure the web server runs with the lowest possible privileges to limit the impact of a potential compromise.

Public Exploit Available: false

Due to the critical CVSS score of 9.8 and the risk of unauthenticated remote code execution, this vulnerability represents a severe and immediate threat to the organization. We strongly recommend that all affected DokuWiki instances are patched immediately without delay. If patching cannot be performed, the compensating controls, such as disabling the plugin or restricting access via a WAF, must be implemented as a top priority to mitigate the risk of a full system compromise.