Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2017-12979 Stored XSS in xhtml.php with code block #2080

Closed
trichimtrich opened this issue Aug 16, 2017 · 4 comments
Closed

CVE-2017-12979 Stored XSS in xhtml.php with code block #2080

trichimtrich opened this issue Aug 16, 2017 · 4 comments

Comments

@trichimtrich
Copy link

@trichimtrich trichimtrich commented Aug 16, 2017

Bug

Specific language parsed in code block is not checked or sanitized before rendering wiki content. Attacker can force admin to enable phpok in configuration through malicious javascript.

Detail

/inc/parser/xhtml.php

function _highlight($type, $text, $language = null, $filename = null) {
...
        if(is_null($language)) {
            $this->doc .= '<pre class="'.$type.'">'.$this->_xmlEntities($text).'</pre>'.DOKU_LF;
        } else {
            $class = 'code'; //we always need the code class to make the syntax highlighting apply
            if($type != 'code') $class .= ' '.$type;

//Bug is in this line of code
            $this->doc .= "<pre class=\"$class $language\">".p_xhtml_cached_geshi($text, $language, '').'</pre>'.DOKU_LF;
        }
...
}

PoC

<code abc"onmouseover="alert(1)>
stored xss
</code>
@phy25
Copy link
Collaborator

@phy25 phy25 commented Aug 16, 2017

I am wondering whether $language should be limited to [a-z0-9A-Z_-]*(this covers geshi's supported languages, and this is what we do in act_clean()), or we just sanitize it before the output.

@phy25
Copy link
Collaborator

@phy25 phy25 commented Aug 20, 2017

This is reproducible at https://www.dokuwiki.org/sandbox:issue-2080, and a fix is available at #2083 using the remove-chars approach.

@trichimtrich
Copy link
Author

@trichimtrich trichimtrich commented Aug 20, 2017

The fixed works well

@fgeek
Copy link

@fgeek fgeek commented Aug 22, 2017

Please use CVE-2017-12979 for this issue.

splitbrain added a commit that referenced this issue Aug 22, 2017
Fix sanitation of $language for code highlighting (fixes #2080)
@splitbrain splitbrain changed the title [Security] Stored XSS in xhtml.php with code block CVE-2017-12979 Stored XSS in xhtml.php with code block Aug 22, 2017
splitbrain added a commit that referenced this issue Aug 27, 2017
* master: (407 commits)
  do not export the appveyor config
  Added appveyor config for automated windows testing
  Update check supports HTTPS
  fixed some style errors found by scrutinizer
  removed unused, empty files
  some cleanup fpr set_metadata test
  added one more test for internal links
  parsertests: replaced var keywords and added type hints
  Fix p_set_metadata damaging contributors with numeric ID
  Add tests for array_replace part of set_metadata
  Fix rendering null $language going to GeSHi (fixes #2088)
  Fix RSS syntax XSS bug (#2081)
  Fix sanitation of $language for code highlighting (fixes #2080)
  translation update
  fix(config): empty string is valid for numericopt
  removed old tpl_content_core method
  updated composer dependencies
  Removed progressbar from searchform
  Release preparation
  translation update
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants