05-12-2014 / Vulnerabilities

DokuWiki 2014-09-29a XSS

By default .swf files in Media Manager are allowed.

File: dokuwiki\conf\mime.conf

swf     application/x-shockwave-flash

File: dokuwiki\inc\media.php

function media_save($file, $id, $ow, $auth, $move) {
    if($auth < AUTH_UPLOAD) {
        return array("You don't have permissions to upload files.", -1);
    }
    if (!isset($file['mime']) || !isset($file['ext'])) {
        list($ext, $mime) = mimetype($id);
        if (!isset($file['mime'])) {
            $file['mime'] = $mime;
        }
        if (!isset($file['ext'])) {
            $file['ext'] = $ext;
        }
    }
    global $lang, $conf;
    // get filename
    $id   = cleanID($id);
    $fn   = mediaFN($id);
    // get filetype regexp
    $types = array_keys(getMimeTypes());
    $types = array_map(create_function('$q','return preg_quote($q,"/");'),$types);
    $regex = join('|',$types);
    // because a temp file was created already
    if(!preg_match('/\.('.$regex.')$/i',$fn)) {
        return array($lang['uploadwrong'],-1);
    }
    //check for overwrite
    $overwrite = @file_exists($fn);
    $auth_ow = (($conf['mediarevisions']) ? AUTH_UPLOAD : AUTH_DELETE);
    if($overwrite && (!$ow || $auth < $auth_ow)) {
        return array($lang['uploadexist'], 0);
    }
    // check for valid content
    $ok = media_contentcheck($file['name'], $file['mime']);
    if($ok == -1){
        return array(sprintf($lang['uploadbadcontent'],'.' . $file['ext']),-1);
    }elseif($ok == -2){
        return array($lang['uploadspam'],-1);
    }elseif($ok == -3){
        return array($lang['uploadxss'],-1);
    }
    // prepare event data
    $data[0] = $file['name'];
    $data[1] = $fn;
    $data[2] = $id;
    $data[3] = $file['mime'];
    $data[4] = $overwrite;
    $data[5] = $move;
    // trigger event
    return trigger_event('MEDIA_UPLOAD_FINISH', $data, '_media_upload_action', true);
}

Similar issue was in WordPress:

Updated security restrictions around file uploads to mitigate the potential for cross-site scripting. The extensions .swf and .exe are no longer allowed by default, and .htm and .html are only allowed if the user has the ability to use unfiltered HTML.

Proof of Concept

If you have upload permission upload xss.swf by evilcos.

Then you can use:

http://dokuwiki-url/lib/exe/fetch.php?media=%path_to_file%&a=eval&c=alert(document.cookie)

Timeline

  • 16-11-2014: Discovered
  • 16-11-2014: Vendor notified
  • 03-12-2014: Hotfix released, issue resolved