DokuWiki

IMPORTANT!

This is the old issue tracking system for DokuWiki. Issues can not be added here anymore. Pleaser refer to https://github.com/splitbrain/dokuwiki/issues for the new system.

IMPORTANT!
Tasklist

FS#1853 - CSRF Vulnerability in ACL Manager

Attached to Project: DokuWiki
Opened by Andreas Gohr (andi) - Sunday, 17 January 2010, 10:50 GMT
Last edited by Andreas Gohr (andi) - Sunday, 17 January 2010, 10:50 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To No-one
Operating System All
Severity Low
Priority Normal
Reported Version 2009-12-25 "Lemming"
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

On deeper analysis of the ACL Manager security for  FS#1847  another security problem was identified.

The plugin does no checks against cross-site request forgeries (CSRF) which can be exploited to e.g. change the access control rules by tricking a logged in administrator into visiting a malicious web site.

A fixed DokuWiki version named 2009-12-25c was released and can be downloaded at http://www.splitbrain.org/go/dokuwiki

The problem can be fixed manually by replacing the ACL Manager plugin in lib/plugins/acl with the fixed version provided at http://www.dokuwiki.org/_media/plugin:acl-plugin.tgz and increasing conf/msg to 25.
This task depends upon

Closed by  Andreas Gohr (andi)
Sunday, 17 January 2010, 10:50 GMT
Reason for closing:  Fixed
Additional comments about closing:  fixed in 2009-12-25c
Comment by Andreas Gohr (andi) - Sunday, 17 January 2010, 11:53 GMT

Loading...