Security Fix
Severity: Medium
Type: Remote Priviledge Escalation
Remote: yes
Vulnerability Details:
This fixes a security hole in the ACL plugins remote API component. The
plugin failed to check for superuser permissions before executing ACL
addition or deletion. This means everybody with permissions to call the
XMLRPC API also had permissions to set up their own ACL rules and thus
circumventing any existing rules.
Risk Assessment:
The XMLRPC API in DokuWiki is marked experimental and off by default. It
also implements an additional safeguard by giving access to a configured
circle of users and groups only. So only a minor number of DokuWiki
installations will be affected at all.
For affected installations the risk is high if users with access to the
API are not to be trusted.
Thus the overall severity of medium.
Resolution:
Installations applying this commit are safe. A hotfix is about to be
released. Meanwhile users are advised to disable the XMLRPC API in the
config manager.
Since Chrome 37, they send differen accept encodings for POST and GET
requests which will break BrowserUID checks as reported in
cosmocode/dokuwiki-plugin-oauth/issues/3
See https://code.google.com/p/chromium/issues/detail?id=410559 for
official bug report at Google
* master: (214 commits)
release preparations
postgresql auth plugin: correct function name
parse AT parameter: first strtotime then timestamp remove config option
move more strings to lang.php
move strings to lang.php
add placeholders for create page text
phpdocs parserutils
improve some scrutinizer issues
visibility plugin methods
use config cascade for loading of localizations
reformatting config cascade
add lang files to cascading
work around missing gzopen on certain systems #865
translation update
fix scrutinizer issues
fixed typos in docblock comments
do not allow empty passwords
clean user credentials from control chars
added filter method to INPUT class
translation update
...
* origin/auth_getUserData_improvements:
KISS - remove class constants for REQUIRE_GROUPS & IGNORE_GROUPS and replace with boolean values
use $requireGroups constants in auth classes; comments; code improvements
fix comment errors, sp. & grammar
code styling - add missing braces
Allow user info to be retrieved without groups
Restore correct public interface of getUserData() for authldap plugin
Conflicts:
inc/common.php
Guy Brand