-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 STG Security Advisory: [SSA-20041122-12] Zwiki XSS vulnerability Revision 1.1 Date Published: 2004-11-22 (KST) Last Update: 2004-11-22 Disclosed by SSR Team (advisory@stgsecurity.com) Summary ======== Zwiki is a wiki clone in zope. It has a cross site scripting vulnerability. Vulnerability Class =================== Implementation Error: Input validation flaw Details ======= Due to an input validation flaw, the Zwiki is vulnerable to cross site scripting attacks. cf. http://zwiki.org/925ZwikiXSSVulnerability proof of concept http://[victim]/<img src=javascript:alert('hi')> Impact ====== Medium: Malicious attackers can inject and execute arbitrary script code in a user's browser session in context of an affected site. Workaround ========== There is no known workaround at this time. Affected Products ================ Zwiki 0.36.2 and prior Vendor Status: NOT FIXED ======================= 2004-10-01 Vulnerability found. 2004-10-01 Zwiki developer notified. 2004-11-22 Official release. Credits ====== Jeremy Bae at STG Security -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBQaP4tT9dVHd/hpsuEQJBogCg3Nbwv9aZ2ZDmQS4z17f2w8ogGukAnAoD Gbj1Yf87gJVSiLb+g/ky60tJ =ppK5 -----END PGP SIGNATURE-----
0.37 is due out 12/01/04. Setting status to [upstream] until this release.
http://zwiki.org/925ZwikiXSSVulnerability#msg20041126012053-0800@zwiki.org lists a proposed patch: Fix -- Fri, 26 Nov 2004 01:20:53 -0800 reply Here's the fix, to be applied to the file in the ZWiki product on disk, and in any instances of this standard_error_message that exist in your ZODB.: --- standard_error_message.dtml.original Fri Nov 26 09:17:22 2004 +++ standard_error_message.dtml Fri Nov 26 09:17:55 2004 @@ -29,7 +29,7 @@ <body> <p> I could not find any likely page matching - "<b><dtml-var "here.urlunquote(searchexpr)"></b>" + "<b><dtml-var "here.urlunquote(searchexpr)" html_quote></b>" </p> <p> Click here to cheers, Chris
according to http://zwiki.org/925ZwikiXSSVulnerability#msg20041126012053-0800@zwiki.org the patch mentioned in comment #2 is going into 0.37 the zwiki repository already includes it, see http://zwiki.org/repos/ZWiki/content/basic/standard_error_message.dtml and for the diff: http://zwiki.org/cgi-bin/darcs?ZWiki**20041130080308-e02d6-1004ac472bd9fb2924af6ec6ca708b33c5e18f6b.gz net-zope: since 0.37 is overdue already, you should consider adding this relatively simple patch into a new revision
net-zope, this bug is open for quite a while now, pls comment
revision bump to 0.36.2, checked in ~x86
This issue is not fixed in 0.36.2. net-zope, please either apply patch or wait for 0.37 which is coming out "any day now".
we'll wait for the new release
fixed as version 0.36.2-r1. will be marked stable in a few hours, please report back in case of problems.
Thanks Radoslaw :) (note: only needs x86 stable marking, otherwise it's just ~ppc and didn't have a stable version there before)
commited into portage as stable x86.
Not FIXED until glsa is released...
security, pls vote on GLSA
Hmm... I would tend to say "yes", as zwiki in a CMS, like wordpress or others we've issues advisories for.
Initially I would tend to say no, but with Koon's arguments I tend to say yes.
agreed that's three times a "yes" -> GLSA
GLSA 200412-23