CVE-2016-7965 in DokuWiki
Summary
by MITRE
DokuWiki 2016-06-26a and older uses $_SERVER[HTTP_HOST] instead of the baseurl setting as part of the password-reset URL. This can lead to phishing attacks. (A remote unauthenticated attacker can change the URL's hostname via the HTTP Host header.) The vulnerability can be triggered only if the Host header is not part of the web server routing process (e.g., if several domains are served by the same web server).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/29/2022
The vulnerability identified as CVE-2016-7965 represents a critical security flaw in DokuWiki versions up to and including 2016-06-26a, where the application incorrectly relies on the HTTP_HOST server variable for constructing password reset URLs instead of utilizing the configured baseurl setting. This design decision creates a significant vector for phishing attacks by allowing remote unauthenticated attackers to manipulate the hostname component of reset URLs through manipulation of the HTTP Host header. The flaw specifically manifests when the web server does not incorporate the Host header into its routing decisions, enabling attackers to inject malicious hostnames into password reset emails that users receive.
This vulnerability directly maps to CWE-601, which addresses URL redirection and forward attacks, and falls under the broader category of insecure direct object references that can be exploited for phishing and social engineering campaigns. The technical implementation issue stems from DokuWiki's insecure handling of user-supplied HTTP headers for URL construction, bypassing proper input validation and sanitization mechanisms that should normally be applied to such critical components. The attack vector exploits the trust relationship between the application and the HTTP protocol by leveraging the fact that HTTP_HOST can be spoofed by attackers without requiring authentication or authorization.
The operational impact of this vulnerability is substantial, as it enables attackers to craft convincing phishing emails that appear to originate from legitimate DokuWiki installations. When users receive password reset emails containing manipulated URLs with malicious hostnames, they may inadvertently navigate to attacker-controlled domains, potentially exposing their credentials or sensitive information. The vulnerability's effectiveness depends on the specific web server configuration where multiple domains are hosted on a single server instance, making the Host header a viable attack surface for manipulation. This scenario commonly occurs in shared hosting environments or reverse proxy setups where the same server instance serves multiple virtual hosts.
Mitigation strategies for CVE-2016-7965 should focus on updating to DokuWiki version 2016-06-26b or later, which addresses the issue by properly utilizing the configured baseurl setting instead of the HTTP_HOST variable. Organizations should also implement proper input validation and sanitization for HTTP headers, particularly in environments where multiple domains are served by the same web server. Security measures including web application firewalls that monitor and filter suspicious Host header values, along with regular security audits of web server configurations, can help reduce the attack surface. Additionally, administrators should consider implementing strict Host header validation policies and ensure that password reset mechanisms are properly isolated from user-controllable input sources. The vulnerability demonstrates the importance of following secure coding practices and the principle of least privilege in web application development, where critical URL construction should never rely on untrusted HTTP headers without proper sanitization.