The user properties (login, real name, etc) where not properly escaped
in the user manager's edit form. This allowed a XSS attack on the
superuser by registered users.

Thanks to Filippo Cavallarin from www.segment.technology for discovering
this bug.

Since we cannot effectively filter for groups and have to work with
incremental prefetching, the ``last`` button is mostly broken/buggy.
Hence it is disabled in this usecase.

attribute holding the username, 'modPass' allows to disable
password changing by the user.

Security Fix

Severity: Medium
Type:     Remote Priviledge Escalation
Remote:   yes

Vulnerability Details:

This fixes a security hole in the ACL plugins remote API component. The
plugin failed to check for superuser permissions before executing ACL
addition or deletion. This means everybody with permissions to call the
XMLRPC API also had permissions to set up their own ACL rules and thus
circumventing any existing rules.

Risk Assessment:

The XMLRPC API in DokuWiki is marked experimental and off by default. It
also implements an additional safeguard by giving access to a configured
circle of users and groups only. So only a minor number of DokuWiki
installations will be affected at all.
For affected installations the risk is high if users with access to the
API are not to be trusted.
Thus the overall severity of medium.

Resolution:

Installations applying this commit are safe. A hotfix is about to be
released. Meanwhile users are advised to disable the XMLRPC API in the
config manager.

This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com

This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com

In an older version of PHP a file_exists() call would issue a warning
when the file did not exist. This was fixed in later PHP releases. Since
we require PHP 5.3 now, there's no need to supress any error here
anymore. This might even give a minor performance boost.