Description

Users can access drafts of restricted files if they have create permissions on the same namespace and have the ability to create their own usernames due to the conflicting cache names. This can reveal draft contents, delete draft and overwrite the draft content of the restricted file.

Proof of Concept

1: User named admin creates a restricted file named secret on the root namespace (secret)

2: User named admin saves a draft of the secret file, this causes the draft file of the secret page to be generated as follows:

getCacheName($client.$ID, '.draft');

The parameter passed to getCacheName will be "admin"."secret" = "adminsecret".

3: The attacker can register user named "admins" and assuming they have create permissions on the same namespace they can create "ecret" (Important that ecret page is created in order to bypass some checks):

"admins"."ecret" = "adminsecret"

When this happens, the same parameter "adminsecret" is passed to getCacheName. And thus, the attacker named "admins" can access the draft information via http://[DOKU-URL]/doku.php?id=ecret&do=draft.

4: They can proceed to access draft content, delete draft and overwrite the draft content.

Impact

If registration is enabled and users are given create permissions on the same namespace as the restricted file, they can access draft information, overwrite draft information and even delete other users drafts of restricted pages.

Recommended Fix:

Instead of passing in directly the client name, instead hash the client name first (any hash algorithm will do!) Example:

md5(admin) => 21232f297a57a5a743894a0e4a801fc3
"21232f297a57a5a743894a0e4a801fc3"."secret" => "21232f297a57a5a743894a0e4a801fc3secret"

This works because hashes are of fixed length, hence there is no way to abuse this.