English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

DokuWiki "ns" Cross-Site Scripting Vulnerability


Secunia ID

SA49196

CVE-ID

CVE-2012-0283

Release Date

13 Jul 2012

Criticality

Less Critical

Solution Status

Vendor Patch

Software

DokuWiki

Where

From remote

Impact
Cross-Site Scripting

Cross-Site Scripting vulnerabilities allow a third party to manipulate the content or behaviour of a web application in a user's browser, without compromising the underlying system.

Different Cross-Site Scripting related vulnerabilities are also classified under this category, including "script insertion" and "cross-site request forgery".

Cross-Site Scripting vulnerabilities are often used against specific users of a website to steal their credentials or to conduct spoofing attacks.

Description

Secunia Research has discovered a vulnerability in DokuWiki, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "ns" POST parameter in lib/exe/ajax.php (when "call" is set to "medialist" and "do" is set to "media") is not properly sanitised within the "tpl_mediaFileList()" function in inc/template.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability is confirmed in version 2012-01-25a. Prior versions may also be affected.

Solution

Update to version 2012-01-25b.

Reported by

Secunia Research.

Original Advisory

DokuWiki:
http://bugs.dokuwiki.org/index.php?do=details&task_id=2561

Secunia Research:
http://secunia.com/secunia_research/2012-24/