Possible XSS vulnerability

[enferas]

Hello,

I would like to report for possible XSS vulnerability.

The source in this file https://github.com/splitbrain/dokuwiki/blob/master/vendor/openpsa/universalfeedcreator/lib/Creator/HTMLCreator.php Line 157 in function _generateFilename.

While the sink in this https://github.com/splitbrain/dokuwiki/blob/master/feed.php line 103.

I tried to test the pathinfo function in PHP. And I found it is possible to bypass this function with this example.

<?php
$path_parts = pathinfo('/path/<img src="aaa.img" onerror=alert(document.cookie);>');

echo $path_parts['basename'], "\n"; // XSS 

[mprins]

This seems to be something in this 3rd party library and it's not clear if is it is a vulnerability in DokuWiki which has quite a bit of sanitising code.

In the meantime please report this to the authors of the universalfeedcreator package as listed in https://github.com/splitbrain/dokuwiki/blob/master/vendor/openpsa/universalfeedcreator/composer.json

[enferas]

Thank you for the response.

After contacting the vendor the vulnerability is confirmed and the fixed is done in this push.
flack/UniversalFeedCreator@e4736a6

I just would like to mention that the source was coming from the vendor while the sink was in feed.php file.

[enferas]

CVE-2022-28919 is assigned to this vulnerability.
Thank you.