New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
reflected file download vulnerability #2029
Comments
The actual problem here is that the error message reflects the passed parameter uncleaned (because it is a text/plain response). This allows to inject arbitrary code in the response, eg. to create a valid batch file. A user may be tricked into downloading and executing the resulting code (assisted by the |
Correction: the response is of a |
I would suggest to simply remove the call parameter from the output. If it is really useful for debugging (I doubt that), it could be printed when debugging is enabled. |
fixed in 238b8e8 |
Hey there, looks like it this patch doesn't actually fix this issue.
You will see An easy patch that I would recommend is to |
Issue is here:
easy fix :) Thanks, |
the issue has been fixed but not rolled out to dokuwiki.org, yet. |
Oh yep you're right @splitbrain ! I checked a vulnerable version haha! Thanks. |
Is there any h1 private program for dokuwiki. |
@trichimtrich I'm not sure what you mean, can you contact me at andi[at]splitbrain.org? |
He was asking if you had a program on https://hackerone.com. This was originally reported by me to a program running this wiki. @trichimtrich they do not have a program on there. |
I've got it. Thank you |
No problem. |
This issue was assigned CVE-2017-18123 |
Is there a stable release planned that includes these fixes? |
For the coming release, there are still pending issues. Please see https://github.com/splitbrain/dokuwiki/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22%F0%9F%90%B1+Greebo%22 There is no release date planned. |
@splitbrain Has this been fixed with Greebo? |
@takuy It should be fixed, because there are |
@phy25 I see. Thanks! Just saw this issue was still opened; there's a CVE still open for this, so wanted to make sure it was resolved or not. |
For me Greebo bahaved the same as the previous vulnerable version. Did anyone else test it? |
@r0bag Tested it. The reponse is cleaned. You can test it with the links in the original post above. DokuWiki.org will respond to |
Yep, I can confirm this is fixed. |
originally reported in https://hackerone.com/reports/238316
Description
The
call=
parameter onhttps://www.dokuwiki.org/lib/exe/ajax.php
does not properly encode user input, which leads to the reflected file download vulnerability.Example:
https://www.dokuwiki.org/lib/exe/ajax.php?call=%7c%7c%63%61%6c%63%7c%7c
The server responds with:
AJAX call '||calc||' unknown!
.Impact
This can lead to arbitrary code execution on a victim's machine!
Reproduction on Windows!!
1.) Open Chrome Browser
2.) Visit redacted - contained a link with a
download
attribute3.) Right click the
Download
link and clickSave Link As
and then save.4.)
installer.bat
should then download, which contains the attacker's shellcode, downloaded fromhttps://www.dokuwiki.org/lib/exe/ajax.php?call=%7c%7c%63%61%6c%63%7c%7c
If the user runs this batch file in Windows, it will open your calculator! This could lead to the entire compromise of the victim's computer.
Patch
I recommend URL encoding any characters in the server response (if the ajax call is not found) such as
&
and;
and|
References
The text was updated successfully, but these errors were encountered: