CVE-2006-5099 in DokuWiki
Summary
by MITRE
lib/exec/fetch.php in DokuWiki before 2006-03-09e, when conf[imconvert] is configured to use ImageMagick, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) w and (2) h parameters, which are not filtered when invoking convert.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/23/2026
The vulnerability identified as CVE-2006-5099 represents a critical command injection flaw in DokuWiki versions prior to 2006-03-09e, specifically within the image processing functionality that utilizes ImageMagick's convert utility. This vulnerability exists in the lib/exec/fetch.php component where the application fails to properly sanitize user-supplied parameters before passing them to the system command line. The flaw manifests when the configuration parameter conf[imconvert] is set to utilize ImageMagick for image processing operations, creating a direct pathway for malicious input to be interpreted as shell commands rather than intended image parameters.
The technical implementation of this vulnerability exploits the improper handling of the w and h parameters within the fetch.php script, which are used to specify image dimensions during the conversion process. These parameters are directly incorporated into the ImageMagick convert command without adequate input validation or sanitization, allowing attackers to inject shell metacharacters such as semicolons, pipes, or command substitution operators. When an attacker crafts malicious input containing these metacharacters in either the width or height parameters, the system executes the injected commands with the privileges of the web server process, potentially enabling full system compromise.
The operational impact of this vulnerability extends beyond simple command execution, as it provides attackers with elevated privileges to perform arbitrary operations on the affected system. This includes but is not limited to reading sensitive files, executing additional malicious commands, establishing reverse shells, or even escalating privileges if the web server process runs with elevated permissions. The vulnerability affects all DokuWiki installations using ImageMagick for image processing, making it particularly dangerous in environments where web applications are exposed to untrusted input from external users or attackers. The flaw operates at the intersection of improper input validation and unsafe command construction, creating a path for attackers to bypass normal application security controls.
Mitigation strategies for CVE-2006-5099 should focus on immediate patching of affected DokuWiki installations to version 2006-03-09e or later, which contains the necessary input sanitization fixes. Organizations should also implement proper input validation measures that filter or escape special characters before processing user-supplied parameters. The vulnerability aligns with CWE-78, which describes improper neutralization of special elements used in OS commands, and corresponds to ATT&CK technique T1059.001 for command and script injection. Additional defensive measures include restricting web server privileges, implementing network segmentation, and monitoring for unusual command execution patterns that might indicate exploitation attempts. Security practitioners should also consider implementing web application firewalls that can detect and block malicious payloads targeting similar command injection vulnerabilities in other applications.