[Security Vulnerability] XSS injection in iconify.php

[issmirnov]

Description

Type: Vulnerability

There is a XSS vulnerability in the iconify.php for material design icons.

Sample payload: http://example.wiki/lib/tpl/bootstrap3/iconify.php?icon=mdi-earth-arrow-right.svg&color=%22%3E%3C/path%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E%3Cimg%20x=%22. When running chrome, a popup will appear.

Steps to reproduce

1. Swap out example.wiki to a wiki running latest hogfather and latest boostrap3 template
2. Click on the payload above
3. Observer alert pop up with text "XSS"

Expected behavior: iconify.php should not accept raw input from users.

Actual behavior: XSS vulnerability.

Versions

• [Bootstrap3 Template] Latest release
• [DokuWiki] Latest Hogfather
• [Plugins] Not relevant
• [PHP] 7.4
• [Browser] Latest Chrome

Screenshots or Logs

Not posting for privacy, I don't want my wiki domain known for a XSS. You can reproduce this yourself.

Analysis

The params array here should perform XSS protection, rather than blindly saving all input variables and then rendering them

[issmirnov]

Tagging @giterlizzi as this is a security vulnerability.

[giterlizzi]

@issmirnov Thanks for reporting this issue. You have found this issue using security scanning ?

[issmirnov]

Yep, I had some automated scans set up against my personal instance, and they flagged this issue.

[issmirnov]

Given that this is a security issue, will you be able to roll out a new release?

[giterlizzi]

Yes, today will be rollout a new release with this and other fixes.
Thanks :)