Corben Leo reported this to DokuWiki.


The call= parameter on does not properly encode user input, which leads to the reflected file download vulnerability.


The server responds with: AJAX call '||calc||' unknown!.


This can lead to arbitrary code execution on a victim’s machine.

Reproduction on Windows

  1. Open Chrome Browser
  2. Visit redacted - contained a link with a download attribute
  3. Right click the Download link and click Save Link As and then save.
  4. installer.bat should then download, which contains the attacker’s shellcode, downloaded from

If the user runs this batch file in Windows, it will open your calculator! This could lead to the entire compromise of the victim’s computer.


I recommend URL encoding any characters in the server response (if the ajax call is not found) such as & and ; and |. This could be done also via htmlspecialchars.

⚒ The patch for this issue can be found here.

Support Corben Leo by rewarding them with a bounty for their finding.