Cross-Site Request Forgery (CSRF) in splitbrain/dokuwiki


Reported on

Dec 6th 2021


DokuWiki is vulnerable to CSRF in enabling / disabling plugin due to missing CSRF token (sectok)

Proof of Concept

If a logged-in admin user visits an attacker's website with the following HTML code

<img src="http://[DOKUWIKI_URL]/lib/exe/ajax.php?call=plugin_extension&ext=authldap&act=disable">

the LDAP plugin, for example, will be disabled


This vulnerability is capable of tricking admin users to enable / disable plugins, unknowingly disabling some functionalities of their site. For instance, custom authentication plugins can be disabled, preventing users from login.

Recommended Fix

I recommend using the sectok in this AJAX endpoint, much like the sectok token used in the mediaupload AJAX endpoint


missing sectok

missing sectok check

We are processing your report and will contact the splitbrain/dokuwiki team within 24 hours. 2 years ago
haxatron modified the report
2 years ago
haxatron modified the report
2 years ago
haxatron modified the report
2 years ago
2 years ago


tested on release_stable_2020-07-29 "Hogfather"

We created a GitHub Issue asking the maintainers to create a 2 years ago
Andreas Gohr validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Andreas Gohr marked this as fixed with commit 96f679 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
script.js#L63L83 has been validated
action.php#L57L73 has been validated
to join this conversation