-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Vulnerability] XSS injection in iconify.php #506
Comments
Tagging @giterlizzi as this is a security vulnerability. |
@issmirnov Thanks for reporting this issue. You have found this issue using security scanning ? |
Yep, I had some automated scans set up against my personal instance, and they flagged this issue. |
Given that this is a security issue, will you be able to roll out a new release? |
Yes, today will be rollout a new release with this and other fixes. |
giterlizzi
added a commit
to giterlizzi/dokuwiki-plugin-icons
that referenced
this issue
Aug 28, 2020
(special thanks to @issmirnov for reporting this security issue) giterlizzi/dokuwiki-template-bootstrap3#506
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Type: Vulnerability
There is a XSS vulnerability in the iconify.php for material design icons.
Sample payload:
http://example.wiki/lib/tpl/bootstrap3/iconify.php?icon=mdi-earth-arrow-right.svg&color=%22%3E%3C/path%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E%3Cimg%20x=%22
. When running chrome, a popup will appear.Steps to reproduce
example.wiki
to a wiki running latest hogfather and latest boostrap3 templateExpected behavior:
iconify.php
should not accept raw input from users.Actual behavior: XSS vulnerability.
Versions
Screenshots or Logs
Not posting for privacy, I don't want my wiki domain known for a XSS. You can reproduce this yourself.
Analysis
The
params
array here should perform XSS protection, rather than blindly saving all input variables and then rendering themThe text was updated successfully, but these errors were encountered: