CVE-2017-12980 Stored XSS in xhtml.php with RSS/Atom feed #2081
Labels
Comments
Reproducible at https://www.dokuwiki.org/sandbox:issue-2081. A fix is available at #2086. |
The fixed works well |
Please use CVE-2017-12980 for this issue. |
splitbrain
added a commit
that referenced
this issue
Aug 27, 2017
* master: (407 commits) do not export the appveyor config Added appveyor config for automated windows testing Update check supports HTTPS fixed some style errors found by scrutinizer removed unused, empty files some cleanup fpr set_metadata test added one more test for internal links parsertests: replaced var keywords and added type hints Fix p_set_metadata damaging contributors with numeric ID Add tests for array_replace part of set_metadata Fix rendering null $language going to GeSHi (fixes #2088) Fix RSS syntax XSS bug (#2081) Fix sanitation of $language for code highlighting (fixes #2080) translation update fix(config): empty string is valid for numericopt removed old tpl_content_core method updated composer dependencies Removed progressbar from searchform Release preparation translation update ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bug
Author tag in RSS/Atom feed is not well sanitized (with default config of SimplePIE, it'll not be stripped html special characters, dokuwiki uses the result directly). So attacker can force others to request a remote RSS/Atom feed contains malicious javascript to do requests in their permission.
Detail
/inc/parser/xhtml.php
PoC
remote RSS
dokuwiki document
The text was updated successfully, but these errors were encountered: