New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Refected XSS in doku.php #2061

Closed
trichimtrich opened this Issue Aug 1, 2017 · 7 comments

Comments

Projects
None yet
5 participants
@trichimtrich

trichimtrich commented Aug 1, 2017

Bug

Field at is not sanitized in msg error message. It's a reflected XSS.

Detail

doku.php

$DATE_AT = $INPUT->str('at');
...
msg(sprintf($lang['unable_to_parse_date'], $DATE_AT));

PoC

http://localhost/dokuwiki/doku.php?id=wiki:welcome&at=<svg onload=alert(cookie)>

@trichimtrich

This comment has been minimized.

trichimtrich commented Aug 1, 2017

Did not check all msg ref yet, but I wonder why not sanitize inside the function, because it does not need to contain any html tag.
Just a thought. The fixed is ok 👍

@phy25

This comment has been minimized.

Collaborator

phy25 commented Aug 1, 2017

@trichimtrich I am not sure whether "No raw HTML is contained" before everything is checked through. I have seen htmlspecialchars sanitization somewhere else ($ACT flitering) in DokuWiki. Maybe the maintainers are sure about this 😀

@splitbrain

This comment has been minimized.

Owner

splitbrain commented Aug 1, 2017

Yeah, the message function is used in some cases with HTML output. Eg to display links. We try to sanitize before passing things on to msg() but this one slipped through.

It might be an idea to make msg() escape by default, except when a parameter is set... Feel free to open a ticket for that.

@splitbrain

This comment has been minimized.

Owner

splitbrain commented Aug 1, 2017

@bug can you cherry-pick 6057f47 and release a hotfix?

@carnil

This comment has been minimized.

carnil commented Aug 6, 2017

This issue has been assigned CVE-2017-12583

bug added a commit that referenced this issue Aug 11, 2017

bug added a commit that referenced this issue Aug 11, 2017

@bug

This comment has been minimized.

Collaborator

bug commented Aug 11, 2017

I have just released two hotfix releases of DokuWiki which include commit 6057f47's fix:

  • 2017-02-19c "Frusterick Manners"
  • 2016-06-26c "Elenor of Tsort"

Thanks for reporting and fixing this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment