This is the issue tracking system for DokuWiki. You may add bugs and feature wishes here.
Please post support requests and plugin wishes in the forum. Bug reports for plugins should be reported in the plugin's tracker linked from the plugin page.
To prevent spamming anonymous task adding had to be disabled.
Please post support requests and plugin wishes in the forum. Bug reports for plugins should be reported in the plugin's tracker linked from the plugin page.
To prevent spamming anonymous task adding had to be disabled.
FS#1853 - CSRF Vulnerability in ACL Manager
Attached to Project:
DokuWiki
Opened by Andreas Gohr (andi) - Sunday, 17 January 2010, 11:50 GMT+1
Last edited by Andreas Gohr (andi) - Sunday, 17 January 2010, 11:50 GMT+1
Opened by Andreas Gohr (andi) - Sunday, 17 January 2010, 11:50 GMT+1
Last edited by Andreas Gohr (andi) - Sunday, 17 January 2010, 11:50 GMT+1
|
DetailsOn deeper analysis of the ACL Manager security for The plugin does no checks against cross-site request forgeries (CSRF) which can be exploited to e.g. change the access control rules by tricking a logged in administrator into visiting a malicious web site. A fixed DokuWiki version named 2009-12-25c was released and can be downloaded at http://www.splitbrain.org/go/dokuwiki The problem can be fixed manually by replacing the ACL Manager plugin in lib/plugins/acl with the fixed version provided at http://www.dokuwiki.org/_media/plugin:acl-plugin.tgz and increasing conf/msg to 25. |
This task depends upon
Closed by Andreas Gohr (andi)
Sunday, 17 January 2010, 11:50 GMT+1
Reason for closing: Fixed
Additional comments about closing: fixed in 2009-12-25c
Sunday, 17 January 2010, 11:50 GMT+1
Reason for closing: Fixed
Additional comments about closing: fixed in 2009-12-25c
Comment by Andreas Gohr (andi) -
Sunday, 17 January 2010, 12:53 GMT+1
Please also read http://www.splitbrain.org/blog/2010-01/17-dokuwiki-security