call= parameter on
https://www.dokuwiki.org/lib/exe/ajax.php does not properly encode user input, which leads to the reflected file download vulnerability.
The server responds with: AJAX call
This can lead to arbitrary code execution on a victim’s machine.
Reproduction on Windows
- Open Chrome Browser
- Visit redacted - contained a link with a download attribute
- Right click the Download link and click Save Link As and then save.
- installer.bat should then download, which contains the attacker’s shellcode, downloaded from
If the user runs this batch file in Windows, it will open your calculator! This could lead to the entire compromise of the victim’s computer.
I recommend URL encoding any characters in the server response (if the ajax call is not found) such as
|. This could be done also via htmlspecialchars.
⚒ The patch for this issue can be found here.
Support Corben Leo by rewarding them with a bounty for their finding.
Corben Leo accepts payments via PayPal to firstname.lastname@example.org.
- Log in to your PayPal account.
- Click "Send money to a friend" at the top of the page.
- Type email@example.com, and the amount being sent.
- Click "Next".
- Review and confirm the information on the screen and click "Send".
Corben Leo accepts Bitcoin payments via:
Corben Leo accepts Ethereum payments via: