Bug 815122 (CVE-2012-2128, CVE-2012-2129)

Summary: CVE-2012-2128 CVE-2012-2129 dokuwiki: XSS and CSRF due improper escaping of 'target' parameter in preprocessing edit form data
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andrew, jpopelka, jrusnack
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-11-12 15:28:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 815123, 815124    
Bug Blocks:    

Description Jan Lieskovsky 2012-04-22 17:09:33 UTC 
A cross-site scripting (XSS) and cross-site request forgery (CSRF) flaws were found in the way DokuWiki, a standards compliant, simple to use Wiki, performed sanitization of the 'target' parameter when preprocessing edit form data. A remote attacker could provide a specially-crafted URL, which once visited by a valid DokuWiki user would lead to arbitrary HTML or web script execution in the context of logged in DokuWiki user.

References:
[1] https://secunia.com/advisories/48848/
[2] http://ircrash.com/uploads/dokuwiki.txt
[3] https://bugs.gentoo.org/show_bug.cgi?id=412891

Discovered by : Khashayar Fereidani

Proof of Concept URL: http://sitename/doku.php?do=edit&id=S9F8W2A&target=<script>alert(123)</script>
Comment 1 Jan Lieskovsky 2012-04-22 17:16:50 UTC 
Upstream bug report for the XSS issue:
[4] http://bugs.dokuwiki.org/index.php?do=details&task_id=2487

Upstream bug report for the CSRF issue:
[5] http://bugs.dokuwiki.org/index.php?do=details&task_id=2488
Comment 2 Jan Lieskovsky 2012-04-22 17:25:12 UTC 
CVE Request:
[6] http://www.openwall.com/lists/oss-security/2012/04/22/4
Comment 3 Jan Lieskovsky 2012-04-22 17:26:15 UTC 
This issue affects the versions of the dokuwiki package, as shipped with Fedora EPEL 5 and Fedora EPEL 6. Please schedule an update.

--

This issue affects the versions of the dokuwiki package, as shipped with Fedora release of 15 and 16. Please schedule an update.
Comment 4 Jan Lieskovsky 2012-04-22 17:27:09 UTC 
Created dokuwiki tracking bugs for this issue

Affects: fedora-all [bug 815123]
Affects: epel-all [bug 815124]
Comment 5 Jan Lieskovsky 2012-04-23 07:17:45 UTC 
(In reply to comment #1)

The CVE identifier of CVE-2012-2129 has been assigned to the XSS issue (upstream bug #2487):

> Upstream bug report for the XSS issue:
> [4] http://bugs.dokuwiki.org/index.php?do=details&task_id=2487
> 

and identifier of CVE-2012-2128 to the CSRF / XSRF issue (upstream bug #2488):

> Upstream bug report for the CSRF issue:
> [5] http://bugs.dokuwiki.org/index.php?do=details&task_id=2488

http://www.openwall.com/lists/oss-security/2012/04/23/1
Comment 6 Fedora Update System 2012-05-02 20:50:14 UTC 
dokuwiki-0-0.11.20110525.a.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2012-05-11 22:03:52 UTC 
dokuwiki-0-0.11.20110525.a.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-05-11 22:04:31 UTC 
dokuwiki-0-0.9.20110525.a.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-05-27 01:51:34 UTC 
dokuwiki-0-0.10.20110525.a.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-06-12 00:26:56 UTC 
dokuwiki-0-0.10.20110525.a.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.