CVE-2010-0289 in DokuWiki
Summary
by MITRE
Multiple cross-site request forgery (CSRF) vulnerabilities in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25c allow remote attackers to hijack the authentication of administrators for requests that modify access control rules, and other unspecified requests, via unknown vectors.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/30/2026
The CVE-2010-0289 vulnerability represents a critical cross-site request forgery weakness discovered in DokuWiki's ACL Manager plugin prior to version 2009-12-25c. This vulnerability specifically targets the plugins/acl/ajax.php file within the DokuWiki content management system, creating a significant security risk for administrators who manage access control rules. The flaw allows remote attackers to exploit the authentication mechanism by crafting malicious requests that appear to originate from legitimate administrative sessions, thereby enabling unauthorized modification of access control settings and potentially compromising the entire system's security posture.
The technical implementation of this CSRF vulnerability stems from the absence of proper authentication tokens or session validation mechanisms within the AJAX endpoint that handles access control modifications. When administrators perform administrative tasks through the web interface, the system should validate that requests originate from authenticated users with proper authorization levels. However, the vulnerable implementation fails to verify the authenticity of requests sent through the ajax.php file, making it possible for attackers to construct malicious web pages or emails that, when visited by an authenticated administrator, automatically submit requests to modify access control rules without the administrator's knowledge or consent.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it directly threatens the integrity of the entire access control system within DokuWiki installations. An attacker who successfully exploits this CSRF vulnerability could modify user permissions, grant unauthorized access to sensitive content, or completely disable access control mechanisms, effectively rendering the security controls useless. This represents a severe threat to data confidentiality and system integrity, particularly in environments where DokuWiki serves as a collaborative platform for managing sensitive information or where multiple users with varying permission levels exist.
From a cybersecurity perspective, this vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in web applications. The attack vector leverages the trust relationship between the web application and authenticated users, exploiting the fact that browsers automatically include authentication cookies with requests to the same domain. The ATT&CK framework categorizes this as a privilege escalation technique, specifically within the credential access and persistence domains, as attackers can use the compromised administrative privileges to maintain long-term access to systems and data. Organizations using DokuWiki should immediately implement mitigations including input validation, CSRF token implementation, and regular security updates to prevent exploitation of this vulnerability. The vulnerability also underscores the importance of proper session management and authentication verification in web applications, particularly those handling sensitive administrative functions.