dokuwiki -- XSS vulnerability in spellchecker backend

ID CDDDE37A-39B5-11DC-B3DA-001921AB2FA4
Type freebsd
Reporter FreeBSD
Modified 2007-06-26T00:00:00


DokuWiki reports:

The spellchecker tests the UTF-8 capabilities of the used browser by sending an UTF-8 string to the backend, which will send it back unfiltered. By comparing string length the spellchecker can work around broken implementations. An attacker could construct a form to let users send JavaScript to the spellchecker backend, resulting in malicious JavaScript being executed in their browser. Affected are all versions up to and including 2007-06-26 even when the spell checker is disabled.