New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2017-12979 Stored XSS in xhtml.php with code block #2080

Closed
trichimtrich opened this Issue Aug 16, 2017 · 4 comments

Comments

Projects
None yet
4 participants
@trichimtrich

trichimtrich commented Aug 16, 2017

Bug

Specific language parsed in code block is not checked or sanitized before rendering wiki content. Attacker can force admin to enable phpok in configuration through malicious javascript.

Detail

/inc/parser/xhtml.php

function _highlight($type, $text, $language = null, $filename = null) {
...
        if(is_null($language)) {
            $this->doc .= '<pre class="'.$type.'">'.$this->_xmlEntities($text).'</pre>'.DOKU_LF;
        } else {
            $class = 'code'; //we always need the code class to make the syntax highlighting apply
            if($type != 'code') $class .= ' '.$type;

//Bug is in this line of code
            $this->doc .= "<pre class=\"$class $language\">".p_xhtml_cached_geshi($text, $language, '').'</pre>'.DOKU_LF;
        }
...
}

PoC

<code abc"onmouseover="alert(1)>
stored xss
</code>
@phy25

This comment has been minimized.

Collaborator

phy25 commented Aug 16, 2017

I am wondering whether $language should be limited to [a-z0-9A-Z_-]*(this covers geshi's supported languages, and this is what we do in act_clean()), or we just sanitize it before the output.

@phy25

This comment has been minimized.

Collaborator

phy25 commented Aug 20, 2017

This is reproducible at https://www.dokuwiki.org/sandbox:issue-2080, and a fix is available at #2083 using the remove-chars approach.

@trichimtrich

This comment has been minimized.

trichimtrich commented Aug 20, 2017

The fixed works well

@fgeek

This comment has been minimized.

fgeek commented Aug 22, 2017

Please use CVE-2017-12979 for this issue.

splitbrain added a commit that referenced this issue Aug 22, 2017

Merge pull request #2083 from phy25/fix-2080 CVE-2017-12979
Fix sanitation of $language for code highlighting (fixes #2080)

@splitbrain splitbrain changed the title from [Security] Stored XSS in xhtml.php with code block to CVE-2017-12979 Stored XSS in xhtml.php with code block Aug 22, 2017

splitbrain added a commit that referenced this issue Aug 27, 2017

Merge branch 'master' into retrytests
* master: (407 commits)
  do not export the appveyor config
  Added appveyor config for automated windows testing
  Update check supports HTTPS
  fixed some style errors found by scrutinizer
  removed unused, empty files
  some cleanup fpr set_metadata test
  added one more test for internal links
  parsertests: replaced var keywords and added type hints
  Fix p_set_metadata damaging contributors with numeric ID
  Add tests for array_replace part of set_metadata
  Fix rendering null $language going to GeSHi (fixes #2088)
  Fix RSS syntax XSS bug (#2081)
  Fix sanitation of $language for code highlighting (fixes #2080)
  translation update
  fix(config): empty string is valid for numericopt
  removed old tpl_content_core method
  updated composer dependencies
  Removed progressbar from searchform
  Release preparation
  translation update
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment