[Security] Refected XSS in doku.php

[trichimtrich]

Bug

Field at is not sanitized in msg error message. It's a reflected XSS.

Detail

doku.php

$DATE_AT = $INPUT->str('at');
...
msg(sprintf($lang['unable_to_parse_date'], $DATE_AT));

PoC

http://localhost/dokuwiki/doku.php?id=wiki:welcome&at=<svg onload=alert(cookie)>

[phy25]

Can be reproduced at https://www.dokuwiki.org/doku.php?at=%3Csvg%20onload=alert(cookie)%3E or https://www.dokuwiki.org/doku.php?id=wiki:welcome&at=%3Csvg%20onload=alert(cookie)%3E.

[trichimtrich]

Did not check all msg ref yet, but I wonder why not sanitize inside the function, because it does not need to contain any html tag.
Just a thought. The fixed is ok 👍

[phy25]

@trichimtrich I am not sure whether "No raw HTML is contained" before everything is checked through. I have seen htmlspecialchars sanitization somewhere else ($ACT flitering) in DokuWiki. Maybe the maintainers are sure about this 😀

[splitbrain]

Yeah, the message function is used in some cases with HTML output. Eg to display links. We try to sanitize before passing things on to msg() but this one slipped through.

It might be an idea to make msg() escape by default, except when a parameter is set... Feel free to open a ticket for that.

[splitbrain]

@bug can you cherry-pick 6057f47 and release a hotfix?

[carnil]

This issue has been assigned CVE-2017-12583

[bug]

I have just released two hotfix releases of DokuWiki which include commit 6057f47's fix:

• 2017-02-19c "Frusterick Manners"
• 2016-06-26c "Elenor of Tsort"

Thanks for reporting and fixing this issue.