Maintainer & News kuliax on 23 Jul 2007 08:26 am
XSS Vulnerability Fixed
We had a notification from DokuWiki when we logged in to wiki in kuliax.org on July 19, 2007. It told us that there was a XSS vulnerability discovered in DokuWiki and we should read the bug report for manual fix or upgrading the current version.
Actually the vulnerability is discovered in spellchecker backend and affected all version to 2007-06-26, even when spellchecker is disabled. But we’ve just known from the bug report that the vulnerability only exploitable with IE browser because of its broken MIME handling.
We decided to do manual fix at that time with replacing spell_utf8test() function in lib/exe/spellcheck.php with:
function spell_utf8test(){
print substr($_POST['data'],0,3);
}
Also we’ve increased the number in conf/msg to 10 to disable update notification for the XSS vulnerability.
