Corben Leo reported this to DokuWiki.

Description

The call= parameter on https://www.dokuwiki.org/lib/exe/ajax.php does not properly encode user input, which leads to the reflected file download vulnerability.

Example: https://www.dokuwiki.org/lib/exe/ajax.php?call=%7c%7c%63%61%6c%63%7c%7c

The server responds with: AJAX call '||calc||' unknown!.

Impact

This can lead to arbitrary code execution on a victim’s machine.

Reproduction on Windows

  1. Open Chrome Browser
  2. Visit redacted - contained a link with a download attribute
  3. Right click the Download link and click Save Link As and then save.
  4. installer.bat should then download, which contains the attacker’s shellcode, downloaded from https://www.dokuwiki.org/lib/exe/ajax.php?call=%7c%7c%63%61%6c%63%7c%7c

If the user runs this batch file in Windows, it will open your calculator! This could lead to the entire compromise of the victim’s computer.

Patch

I recommend URL encoding any characters in the server response (if the ajax call is not found) such as & and ; and |. This could be done also via htmlspecialchars.

⚒ The patch for this issue can be found here.

Support Corben Leo by rewarding them with a bounty for their finding.