Cross-Site Request Forgery (CSRF) in splitbrain/dokuwiki

Valid

Reported on

Dec 6th 2021


Description

DokuWiki is vulnerable to CSRF in enabling / disabling plugin due to missing CSRF token (sectok)

Proof of Concept

If a logged-in admin user visits an attacker's website with the following HTML code

<img src="http://[DOKUWIKI_URL]/lib/exe/ajax.php?call=plugin_extension&ext=authldap&act=disable">

the LDAP plugin, for example, will be disabled

Impact

This vulnerability is capable of tricking admin users to enable / disable plugins, unknowingly disabling some functionalities of their site. For instance, custom authentication plugins can be disabled, preventing users from login.

Recommended Fix

I recommend using the sectok in this AJAX endpoint, much like the sectok token used in the mediaupload AJAX endpoint

Occurences

missing sectok

missing sectok check

We are processing your report and will contact the splitbrain/dokuwiki team within 24 hours. 2 months ago
haxatron modified their report
2 months ago
haxatron
2 months ago

Researcher


tested on release_stable_2020-07-29 "Hogfather"

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
Andreas Gohr validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Andreas Gohr confirmed that a fix has been merged on 96f679 2 months ago
The fix bounty has been dropped
script.js#L63L83 has been validated
action.php#L57L73 has been validated