#############################################################
#
# COMPASS SECURITY ADVISORY http://www.csnc.ch/
#
#############################################################
#
# Product: DokuWiki
# Vendor:  DokuWiki Project
# Subject: Cross-site scripting - XSS
# Risk:    High
# Effect:  Remotely exploitable
# Author:  Cyrill Brunschwiler (cyrill.brunschwiler@csnc.ch)
# Date:    July 19th 2007
#
#############################################################

Introduction:
-------------
Compass Security discovered a web application security flaw
in the DokuWiki application.

Vulnerable:
-----------
DokuWiki Version 2007-06-26 and prior

Not vulnerable:
---------------
DokuWiki Version 2007-06-26b

Patches:
--------
DokuWiki Version 2007-06-26b available from the DokuWiki
download page.

Fix:
----
Remove the function spell_utf8test() from the PHP script
named lib/exe/spellcheck.php

Description:
------------
The spell checker PHP script provides a test function which
reflects unfiltered user input. Due to Microsoft's Internet
Explorer mime-sniffing feature, injected JavaScript code gets
executed even though the Content-Header is set to text/plain. 

Exploting the vulnerability will lead to so-called cross-site
scripting (XSS) and allows the impersonation of logged-in
DokuWiki users.

Milestones:
-----------
July 18th, Vulnerability discovered
July 18th, Vendor notified
July 19th, Vendor provided patched version

References:
-----------
Vendor Bug Report reference:
http://bugs.splitbrain.org/index.php?do=details&task_id=1195

DokuWiki reference:
http://wiki.splitbrain.org/wiki:dokuwiki

DokuWiki is a standards compliant, simple to use Wiki, mainly
aimed at creating documentation of any kind. It is targeted at
developer teams, workgroups and small companies. It has a
simple but powerful syntax which makes sure the datafiles
remain readable outside the Wiki and eases the creation of
structured texts. All data is stored in plain text files - no
database is required.

XSS reference:
http://en.wikipedia.org/wiki/Cross-site_scripting

Cross-site scripting (XSS) is a type of computer security
vulnerability typically found in web applications which allow
code injection by malicious web users into the web pages
viewed by other users. Examples of such code include HTML code
and client-side scripts. An exploited cross-site scripting
vulnerability can be used by attackers to bypass access
controls such as the same origin policy. Recently,
vulnerabilities of this kind have been exploited to craft
powerful phishing attacks and browser exploits. Cross-site
scripting was originally referred to as CSS, although this
usage has been largely discontinued.