Cross-Site Request Forgery (CSRF) in splitbrain/dokuwiki


Reported on

Dec 16th 2021


Auditing the AJAX endpoints revealed that some endpoints which perform state-changes do not have CSRF protection.

Proof of Concept

POST /lib/exe/ajax.php?call=draftdel&id=start 


This vulnerability is capable of tricking users to delete their own drafts.


Draftdel js

Draftdel backend

We are processing your report and will contact the splitbrain/dokuwiki team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a exists 2 years ago
haxatron modified the report
2 years ago
2 years ago


Looks like the lock ajax endpoint doesn't seem to do much, let me investigate further

2 years ago


I think the lock ajax endpoint does not seem to do much, so it does not seem it warrants CSRF protection

We have contacted a member of the splitbrain/dokuwiki team and are waiting to hear back 2 years ago
Andreas Gohr validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Andreas Gohr marked this as fixed with commit 242015 2 years ago
Andreas Gohr has been awarded the fix bounty
edit.js#L210L215 has been validated
Ajax.php#L163L173 has been validated
to join this conversation