Description
Security Issue
Severity: Medium
Type: Remote Priviledge Escalation
Remote: yes
Vulnerability Details:
There's a security hole in the ACL plugins remote API component. The plugin failes to check for superuser permissions before executing ACL addition or deletion. This means everybody with permissions to call the XMLRPC API also has permissions to set up their own ACL rules and thus circumventing any existing rules.
Risk Assessment:
The XMLRPC API in DokuWiki is marked experimental and off by default. It also implements an additional safeguard by giving access to a configured circle of users and groups only. So only a minor number of DokuWiki installations will be affected at all.
For affected installations the risk is high if users with access to the API are not to be trusted. Thus the overall severity of medium.
Resolution:
Installations applying the linked commit are safe. A hotfix is about to be released. Meanwhile users are advised to disable the XMLRPC API in the config manager.