This is a static dump of issues in the old "Flyspray" bugtracker for DokuWiki. Bugs and feature requests
are now tracked at the issue tracker at Github.
Closed
Not a bug
Not a bug
FS#1850 XSS vulnerability in dokuwiki gallery plugin
Security
-
2010-01-13 netaddict
Hi,
I discoverd a little XSS vulnerability in the Dokuwiki gallery plugin. It looks like the output in the lightbox isn't sanitized correctly. I've injected some nice HTML tags with exiftool into a jpg and in lightbox mode they are shown. The function media_contentcheck prevents the upload of such images, but not in every case. It checks just the first 256 bytes of an image, but if you have a big EXIF header (from a digtal camera) this is not enough.
Screenshots and the test image is attached to this bug report. -
2010-01-13 andi
not a bug in dokuwiki, please report in the plugin bugtracker
