CVE-2016-7965
Published: 31 October 2016
DokuWiki 2016-06-26a and older uses $_SERVER[HTTP_HOST] instead of the baseurl setting as part of the password-reset URL. This can lead to phishing attacks. (A remote unauthenticated attacker can change the URL's hostname via the HTTP Host header.) The vulnerability can be triggered only if the Host header is not part of the web server routing process (e.g., if several domains are served by the same web server).
Notes
Author | Note |
---|---|
ebarretto | Setting to ignored as upstream won't fix it. Maintainer note: Autodetecting the host is an important feature for setting up wiki farms and it is a major convenience factor for our users (on installation, on moving the wiki between servers and accessing it from different network locations), so I'm leaning towards a WONTFIX here. |
Priority
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | High |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |