Cross-Site Request Forgery (CSRF) in splitbrain/dokuwiki

Valid

Reported on

Dec 6th 2021


Description

DokuWiki is vulnerable to CSRF in enabling / disabling plugin due to missing CSRF token (sectok)

Proof of Concept

If a logged-in admin user visits an attacker's website with the following HTML code

<img src="http://[DOKUWIKI_URL]/lib/exe/ajax.php?call=plugin_extension&ext=authldap&act=disable">

the LDAP plugin, for example, will be disabled

Impact

This vulnerability is capable of tricking admin users to enable / disable plugins, unknowingly disabling some functionalities of their site. For instance, custom authentication plugins can be disabled, preventing users from login.

Recommended Fix

I recommend using the sectok in this AJAX endpoint, much like the sectok token used in the mediaupload AJAX endpoint

Occurrences

missing sectok

missing sectok check

We are processing your report and will contact the splitbrain/dokuwiki team within 24 hours. a year ago
haxatron modified the report
a year ago
haxatron modified the report
a year ago
haxatron modified the report
a year ago
haxatron
a year ago

Researcher


tested on release_stable_2020-07-29 "Hogfather"

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
Andreas Gohr validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Andreas Gohr marked this as fixed with commit 96f679 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
script.js#L63L83 has been validated
action.php#L57L73 has been validated
to join this conversation