Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Refected XSS in doku.php #2061

Closed
trichimtrich opened this issue Aug 1, 2017 · 7 comments
Closed

[Security] Refected XSS in doku.php #2061

trichimtrich opened this issue Aug 1, 2017 · 7 comments

Comments

@trichimtrich
Copy link

@trichimtrich trichimtrich commented Aug 1, 2017

Bug

Field at is not sanitized in msg error message. It's a reflected XSS.

Detail

doku.php

$DATE_AT = $INPUT->str('at');
...
msg(sprintf($lang['unable_to_parse_date'], $DATE_AT));

PoC

http://localhost/dokuwiki/doku.php?id=wiki:welcome&at=<svg onload=alert(cookie)>

@trichimtrich
Copy link
Author

@trichimtrich trichimtrich commented Aug 1, 2017

Did not check all msg ref yet, but I wonder why not sanitize inside the function, because it does not need to contain any html tag.
Just a thought. The fixed is ok 👍

@phy25
Copy link
Collaborator

@phy25 phy25 commented Aug 1, 2017

@trichimtrich I am not sure whether "No raw HTML is contained" before everything is checked through. I have seen htmlspecialchars sanitization somewhere else ($ACT flitering) in DokuWiki. Maybe the maintainers are sure about this 😀

@splitbrain
Copy link
Owner

@splitbrain splitbrain commented Aug 1, 2017

Yeah, the message function is used in some cases with HTML output. Eg to display links. We try to sanitize before passing things on to msg() but this one slipped through.

It might be an idea to make msg() escape by default, except when a parameter is set... Feel free to open a ticket for that.

@splitbrain
Copy link
Owner

@splitbrain splitbrain commented Aug 1, 2017

@bug can you cherry-pick 6057f47 and release a hotfix?

@carnil
Copy link

@carnil carnil commented Aug 6, 2017

This issue has been assigned CVE-2017-12583

bug added a commit that referenced this issue Aug 11, 2017
bug added a commit that referenced this issue Aug 11, 2017
@bug
Copy link
Collaborator

@bug bug commented Aug 11, 2017

I have just released two hotfix releases of DokuWiki which include commit 6057f47's fix:

  • 2017-02-19c "Frusterick Manners"
  • 2016-06-26c "Elenor of Tsort"

Thanks for reporting and fixing this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants