Cross-Site Request Forgery (CSRF) in splitbrain/dokuwiki
Dec 14th 2021
Although security token is present in the delete draft POST request. It is not being checked in the backend by checkSecurityToken() CSRF checks.
Proof of Concept
1: As a logged-in user create a draft page, on the data/cache directory of the server run the command to confirm a draft has been created
2: As a logged-in user open the following HTML to perform the draft delete action.
3: Rerun the following command in the data/cache directory to confirm the draft has been deleted
This vulnerability is capable of tricking users to delete drafts permanently. Recover draft is not a state change and it is not necessary to check the security token. It may be possible to trick users who forget to save, to delete their own drafts via a CSRF attack.
Apply fix that is similar to the other Logout CSRF report