Cross-Site Request Forgery (CSRF) in splitbrain/dokuwiki

Valid

Reported on

Dec 14th 2021


Description

Although security token is present in the delete draft POST request. It is not being checked in the backend by checkSecurityToken() CSRF checks.

Proof of Concept

1: As a logged-in user create a draft page, on the data/cache directory of the server run the command to confirm a draft has been created

cat */*.draft

2: As a logged-in user open the following HTML to perform the draft delete action.

<img src="http://10.0.2.15/doku.php?id=start&do=draftdel">

3: Rerun the following command in the data/cache directory to confirm the draft has been deleted

cat */*.draft

Impact

This vulnerability is capable of tricking users to delete drafts permanently. Recover draft is not a state change and it is not necessary to check the security token. It may be possible to trick users who forget to save, to delete their own drafts via a CSRF attack.

Recommeded Fix

Apply fix that is similar to the other Logout CSRF report

We are processing your report and will contact the splitbrain/dokuwiki team within 24 hours. a year ago
Andreas Gohr validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Andreas Gohr marked this as fixed with commit e66999 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Draftdel.php#L28L33 has been validated
to join this conversation