You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
DokuWiki 2024-02-06a has a storage XSS vulnerability, an attacker can upload a malicious svg file to obtain other users' cookies.
Details
We found that in the Media Manager, it is allowed to include svg in the file extension list. svg files can execute html code.
We posted a SVG file contains malicious code, and then click to view: http://192.168.160.154:1042/lib/exe/fetch.php?media=alert.svg
It doesn't seem to trigger the popup code. But we access URL at http://192.168.160.154:1042/data/media/alert.svg.We found that it successfully executed the code.We should not put the save address of the svg file in a place where the user can access. The fetch.php file used for html code filtering here looks funny.
Of course, it is important to note that not every svg file can be successfully uploaded, because I have noticed that when the svg file is uploaded, the server detects malicious code and prompts that the upload operation is blocked because of possible malicious content.
Your data directory should never be directly accessible. This is a misconfiguration of your webserver and the admin interface should warn you about it. All access to media files has to go through the fetch.php dispatcher which will add a CSP header to prevent attacks like these (and will also check ACLs).
Summary
DokuWiki 2024-02-06a has a storage XSS vulnerability, an attacker can upload a malicious svg file to obtain other users' cookies.
Details
We found that in the
Media Manager
, it is allowed to include svg in the file extension list. svg files can execute html code.We posted a SVG file contains malicious code, and then click to view:
http://192.168.160.154:1042/lib/exe/fetch.php?media=alert.svg
It doesn't seem to trigger the popup code. But we access URL at
http://192.168.160.154:1042/data/media/alert.svg
.We found that it successfully executed the code.We should not put the save address of the svg file in a place where the user can access. The fetch.php file used for html code filtering here looks funny.Of course, it is important to note that not every svg file can be successfully uploaded, because I have noticed that when the svg file is uploaded, the server detects malicious code and prompts that the upload operation is blocked because of possible malicious content.
Proof of Concept (POC)
Then visit http://your-ip/data/media/alert.svg can trigger.
Version of DokuWiki
DokuWiki 2024-02-06a "Kaos"
PHP Version
8.2
The text was updated successfully, but these errors were encountered: