Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 72315 - net-zope/zwiki: XSS vulnerability
Summary: net-zope/zwiki: XSS vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa] lewk
Keywords:
Depends on:
Blocks:
 
Reported: 2004-11-23 22:58 UTC by Luke Macken (RETIRED)
Modified: 2004-12-21 15:31 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Luke Macken (RETIRED) gentoo-dev 2004-11-23 22:58:41 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

STG Security Advisory: [SSA-20041122-12] Zwiki XSS vulnerability

Revision 1.1
Date Published: 2004-11-22 (KST)
Last Update: 2004-11-22
Disclosed by SSR Team (advisory@stgsecurity.com)

Summary
========
Zwiki is a wiki clone in zope. It has a cross site scripting vulnerability.

Vulnerability Class
===================
Implementation Error: Input validation flaw

Details
=======
Due to an input validation flaw, the Zwiki is vulnerable to cross site
scripting attacks.

cf. http://zwiki.org/925ZwikiXSSVulnerability

proof of concept
http://[victim]/<img src=javascript:alert('hi')>

Impact
======
Medium: Malicious attackers can inject and execute arbitrary script code in
a user's browser session in context of an affected site.

Workaround
==========
There is no known workaround at this time.

Affected Products
================
Zwiki 0.36.2 and prior

Vendor Status: NOT FIXED
=======================
2004-10-01 Vulnerability found.
2004-10-01 Zwiki developer notified.
2004-11-22 Official release.

Credits
======
Jeremy Bae at STG Security

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBQaP4tT9dVHd/hpsuEQJBogCg3Nbwv9aZ2ZDmQS4z17f2w8ogGukAnAoD
Gbj1Yf87gJVSiLb+g/ky60tJ
=ppK5
-----END PGP SIGNATURE-----
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-11-23 23:04:06 UTC
0.37 is due out 12/01/04.  Setting status to [upstream] until this release.
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2004-11-29 06:16:45 UTC
http://zwiki.org/925ZwikiXSSVulnerability#msg20041126012053-0800@zwiki.org

lists a proposed patch:

Fix -- Fri, 26 Nov 2004 01:20:53 -0800 reply
Here's the fix, to be applied to the file in the ZWiki product on disk, and in any instances of this standard_error_message that exist in your ZODB.:

 --- standard_error_message.dtml.original        Fri Nov 26 09:17:22 2004
 +++ standard_error_message.dtml Fri Nov 26 09:17:55 2004
 @@ -29,7 +29,7 @@
    <body>
      <p>
        I could not find any likely page matching 
 -      "<b><dtml-var "here.urlunquote(searchexpr)"></b>"
 +      "<b><dtml-var "here.urlunquote(searchexpr)" html_quote></b>"
      </p>
      <p>
        Click here to 

cheers,

Chris
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-12 11:58:30 UTC
according to http://zwiki.org/925ZwikiXSSVulnerability#msg20041126012053-0800@zwiki.org the patch mentioned in comment #2 is going into 0.37

the zwiki repository already includes it, see http://zwiki.org/repos/ZWiki/content/basic/standard_error_message.dtml
and for the diff: http://zwiki.org/cgi-bin/darcs?ZWiki**20041130080308-e02d6-1004ac472bd9fb2924af6ec6ca708b33c5e18f6b.gz


net-zope: since 0.37 is overdue already, you should consider adding this relatively simple patch into a new revision
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-18 14:08:06 UTC
net-zope, this bug is open for quite a while now, pls comment
Comment 5 Jodok Batlogg (RETIRED) gentoo-dev 2004-12-18 14:22:58 UTC
revision bump to 0.36.2, checked in ~x86
Comment 6 Luke Macken (RETIRED) gentoo-dev 2004-12-18 16:14:57 UTC
This issue is not fixed in 0.36.2.

net-zope, please either apply patch or wait for 0.37 which is coming out "any day now".
Comment 7 Jodok Batlogg (RETIRED) gentoo-dev 2004-12-19 09:01:14 UTC
we'll wait for the new release
Comment 8 Radoslaw Stachowiak (RETIRED) gentoo-dev 2004-12-20 07:58:37 UTC
fixed as version 0.36.2-r1.
will be marked stable in a few hours, please report back in case of problems.
Comment 9 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-20 09:45:48 UTC
Thanks Radoslaw :)

(note: only needs x86 stable marking, otherwise it's just ~ppc and didn't have a stable version there before)
Comment 10 Radoslaw Stachowiak (RETIRED) gentoo-dev 2004-12-20 23:51:10 UTC
commited into portage as stable x86.
Comment 11 Chris White (RETIRED) gentoo-dev 2004-12-21 00:02:44 UTC
Not FIXED until glsa is released...
Comment 12 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-21 00:31:09 UTC
security, pls vote on GLSA
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-12-21 01:20:06 UTC
Hmm... I would tend to say "yes", as zwiki in a CMS, like wordpress or others we've issues advisories for.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-21 03:34:22 UTC
Initially I would tend to say no, but with Koon's arguments I tend to say yes.
Comment 15 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-21 08:05:23 UTC
agreed

that's three times a "yes" -> GLSA
Comment 16 Luke Macken (RETIRED) gentoo-dev 2004-12-21 15:31:02 UTC
GLSA 200412-23