CVE-2023-34408 - DokuWiki XSS Vulnerability in RSS Titles

A Cross-site Scripting (XSS) vulnerability has been discovered in DokuWiki versions before 2023-04-04a. The vulnerability lies in the handling of RSS titles, making it possible for an attacker to inject malicious code through the titles. This post will cover the details of the vulnerability, including how to identify the vulnerable code, links to original references, and potential exploit details.

Technical Details of CVE-2023-34408

CVE-2023-34408 allows an attacker to carry out an XSS attack by injecting malicious JavaScript code into the title of an RSS feed item. DokuWiki, a popular open-source Wiki application, does not properly sanitize the input in the titles when rendering RSS feeds. An attacker can manipulate this oversight to include malicious content in the feed titles to compromise unsuspecting users' systems.

Affected DokuWiki Versions

The affected versions of DokuWiki are those released before the 2023-04-04a update.

Vulnerable Code Snippet

The problem lies in the improper handling of user input in the RSS feed title. Below is a code snippet from the DokuWiki source code that demonstrates the issue:

// In DokuWiki, older version file (before 2023-04-04a)
while($item = $rss->get_item()){
  // Vulnerable code
  $title = $item->get_title();
  ...
}

In the above code snippet, the $title variable does not undergo proper sanitization before being rendered, allowing malicious content to be displayed.

Exploit Details

To exploit the vulnerability, an attacker would first need to find a DokuWiki installation that allows untrusted users to create or edit pages with RSS feed items. Then, they can create or edit an RSS feed item, making sure to include malicious JavaScript code in the title. When the targeted user views the feed, the malicious code will be executed, potentially compromising the user's system.

An example of a malicious RSS title might look like this

<script>alert('XSS vulnerability exploited!')</script>

The above example will trigger an alert window with the message "XSS vulnerability exploited!" This is a simple example meant to demonstrate the vulnerability; an attacker could use more sophisticated scripts to carry out a wide range of attacks on users, from stealing cookies and session information to spreading malware.

Mitigation and Resolution

Users of DokuWiki are advised to update their installations to version 2023-04-04a or later to fix the vulnerability. The latest version of DokuWiki can be downloaded from the official DokuWiki website at the following link:

- Download DokuWiki 2023-04-04a or later

Original References and Further Reading

For more information on CVE-2023-34408 and the corresponding fixes, please refer to the following resources:

- CVE-2023-34408 - NVD (National Vulnerability Database)
- DokuWiki Security Advisory
- DokuWiki Official Website

Conclusion

CVE-2023-34408 is a critical XSS vulnerability in the handling of RSS titles in DokuWiki versions before 2023-04-04a. Users are strongly encouraged to update their installations as soon as possible to ensure the security of their data and systems. Stay vigilant and keep your software up to date to protect against such vulnerabilities.

Timeline

Published on: 06/05/2023 02:15:00 UTC
Last modified on: 06/09/2023 18:44:00 UTC