Compass Security discovered an XSS vulnerability in DokuWiki's spellchecker backend.
The spellchecker tests the UTF-8 capabilities of the used browser by sending an UTF-8 string to the backend, which will send it back unfiltered. By comparing string length the spellchecker can work around broken implementations. An attacker could construct a form to let users send JavaScript to the spellchecker backend, resulting in malicious JavaScript being executed in their browser.
Affected are all versions up to and including 2007-06-26 even when the spell checker is disabled.
The vulnerability is only exploitable with Microsoft Internet Explorer (because of its broken MIME handling) other browsers will not execute the JavaScript sent back.
A new updated release 2007-06-26b was made available at
http://www.splitbrain.org/go/dokuwiki
You may fix the problem yourself by replacing the spell_utf8test() function in lib/exe/spellcheck.php with the following code:
function spell_utf8test(){
print substr($_POST['data'],0,3);
}
If you fix it yourself you should increase the number in conf/msg to 10 for disabling update notification for this issue.