By default .swf
files in Media Manager are allowed.
File: dokuwiki\conf\mime.conf
swf application/x-shockwave-flash
File: dokuwiki\inc\media.php
function media_save($file, $id, $ow, $auth, $move) {
if($auth < AUTH_UPLOAD) {
return array("You don't have permissions to upload files.", -1);
}
if (!isset($file['mime']) || !isset($file['ext'])) {
list($ext, $mime) = mimetype($id);
if (!isset($file['mime'])) {
$file['mime'] = $mime;
}
if (!isset($file['ext'])) {
$file['ext'] = $ext;
}
}
global $lang, $conf;
// get filename
$id = cleanID($id);
$fn = mediaFN($id);
// get filetype regexp
$types = array_keys(getMimeTypes());
$types = array_map(create_function('$q','return preg_quote($q,"/");'),$types);
$regex = join('|',$types);
// because a temp file was created already
if(!preg_match('/\.('.$regex.')$/i',$fn)) {
return array($lang['uploadwrong'],-1);
}
//check for overwrite
$overwrite = @file_exists($fn);
$auth_ow = (($conf['mediarevisions']) ? AUTH_UPLOAD : AUTH_DELETE);
if($overwrite && (!$ow || $auth < $auth_ow)) {
return array($lang['uploadexist'], 0);
}
// check for valid content
$ok = media_contentcheck($file['name'], $file['mime']);
if($ok == -1){
return array(sprintf($lang['uploadbadcontent'],'.' . $file['ext']),-1);
}elseif($ok == -2){
return array($lang['uploadspam'],-1);
}elseif($ok == -3){
return array($lang['uploadxss'],-1);
}
// prepare event data
$data[0] = $file['name'];
$data[1] = $fn;
$data[2] = $id;
$data[3] = $file['mime'];
$data[4] = $overwrite;
$data[5] = $move;
// trigger event
return trigger_event('MEDIA_UPLOAD_FINISH', $data, '_media_upload_action', true);
}
Similar issue was in WordPress:
Updated security restrictions around file uploads to mitigate the potential for cross-site scripting. The extensions .swf and .exe are no longer allowed by default, and .htm and .html are only allowed if the user has the ability to use unfiltered HTML.
Proof of Concept
If you have upload
permission upload xss.swf by evilcos.
Then you can use:
http://dokuwiki-url/lib/exe/fetch.php?media=%path_to_file%&a=eval&c=alert(document.cookie)
Timeline
- 16-11-2014: Discovered
- 16-11-2014: Vendor notified
- 03-12-2014: Hotfix released, issue resolved