First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 145714
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Raphael Marichez <falco@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 145714 depends on: Show dependency tree
Bug 145714 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-08-31 07:54 0000 
"Cross-site scripting (XSS) vulnerability in tiki-searchindex.php in TikiWiki
1.9.4 allows remote attackers to inject arbitrary web script or HTML via the
highlight parameter. NOTE: the provenance of this information is unknown; the
details are obtained from third party information."


waiting for any update

------- Comment #1 From Raphael Marichez 2006-09-08 05:38:00 0000 ------- 
file-upload-vulnerability++

http://secunia.com/advisories/21733/

1.9.4 is affected.

------- Comment #2 From Renat Lumpau 2006-09-11 20:41:54 0000 ------- 
should be fixed in -r2

------- Comment #3 From Sune Kloppenborg Jeppesen 2006-09-14 03:17:08 0000 ------- 
Renat, does 1.9.5 fix this issue ? please comment on the bug next time.

1.9.5 fixes this and has been committed:

12 Sep 2006; Renat Lumpau <rl03@gentoo.org> +tikiwiki-1.9.5.ebuild:

------- Comment #4 From Renat Lumpau 2006-09-14 05:21:35 0000 ------- 
sorry folks, that's what i had intended with comment #2 , except not -r2 but
1.9.5 . i'll be more careful next time

------- Comment #5 From Sune Kloppenborg Jeppesen 2006-09-14 07:01:54 0000 ------- 
Thx Renat and sorry for the confusion.

PPC please test and mark stable. Target keywords are:

tikiwiki-1.9.5.ebuild:KEYWORDS="~amd64 ppc ~sparc ~x86"

------- Comment #6 From Tobias Scherbaum 2006-09-15 11:34:08 0000 ------- 
ppc stable

------- Comment #7 From Sune Kloppenborg Jeppesen 2006-09-15 11:56:19 0000 ------- 
I tend to vote NO.

------- Comment #8 From Wolf Giesen (RETIRED) 2006-09-15 12:32:16 0000 ------- 
Hm, since it seems to be on the same level as the recent DokuWiki vulnerability
I'd say it's more B1 than enything else?!

------- Comment #9 From Sune Kloppenborg Jeppesen 2006-09-15 23:47:58 0000 ------- 
This has nothing to do with the recent DokuWiki vulnerability. This one allows
injection of web script (javascript) in the context of the victims browswer.

------- Comment #10 From Wolf Giesen (RETIRED) 2006-09-19 01:35:16 0000 ------- 
Maybe I was mislead by Falco's link ... ehr <swirl> ... if we're still talking
1.9.4 ... isn't that one valid?

------- Comment #11 From Sune Kloppenborg Jeppesen 2006-09-19 02:06:35 0000 ------- 
No I was mislead by an outdated Summary/Status.

/me blames falco.

Lets have the GLSA.

------- Comment #12 From Tavis Ormandy (RETIRED) 2006-09-19 05:40:52 0000 ------- 
I would vote YES.

------- Comment #13 From Sune Kloppenborg Jeppesen 2006-09-25 11:07:56 0000 ------- 
GLSA drafted, security please review.

------- Comment #14 From Sune Kloppenborg Jeppesen 2006-09-26 09:22:16 0000 ------- 
GLSA 200609-16
First Last Prev Next    No search results available      Search page      Enter new bug