Cross-Site Request Forgery (CSRF) in splitbrain/dokuwiki


Reported on

Dec 8th 2021


Another low-severity CSRF (last one, I think.) identified on styling page

Proof of Concept

Requests to the following endpoint (used by admins to edit template styling settings) do not contain sectok CSRF token

POST /doku.php?id=start&do=admin&page=styling


This vulnerability is capable of tricking admin users to deface their own website


We are processing your report and will contact the splitbrain/dokuwiki team within 24 hours. 2 months ago
We have contacted a member of the splitbrain/dokuwiki team and are waiting to hear back 2 months ago
Andreas Gohr validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Andreas Gohr confirmed that a fix has been merged on 54bcc3 2 months ago
The fix bounty has been dropped
admin.php#L58L114 has been validated