Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 532190 - <www-apps/dokuwiki-20140929b: XSS attack via SWF uploads (CVE-2014-9253)
Summary: <www-apps/dokuwiki-20140929b: XSS attack via SWF uploads (CVE-2014-9253)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.dokuwiki.org/changes
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-10 19:48 UTC by theodor
Modified: 2014-12-29 22:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description theodor 2014-12-10 19:48:18 UTC 
Please update dokuwiki ebuild to prevent XSS attack via SWF uploads.

Reproducible: Always
Comment 1 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2014-12-12 14:10:54 UTC 
done

13:47 < irker481> gentoo-x86: jmbsvicetto www-apps/dokuwiki: Bump dokuwiki versions to address an XSS with SWF uploads - announcement https://www.freelists.org/post/dokuwiki/XSS-via-SWF-uploads-hotfix,3

@security:

Do you want to track this bug?
Comment 2 Agostino Sarubbo gentoo-dev 2014-12-12 14:32:55 UTC 
Arches, please test and mark stable:                                                                                                                                                                                                                                           
=www-apps/dokuwiki-20140929b                                                                                                                                                                                                                                                  
Target keywords : "amd64 x86"
Comment 3 Agostino Sarubbo gentoo-dev 2014-12-21 11:37:21 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-12-21 11:42:08 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2014-12-22 13:53:49 UTC 
(In reply to Agostino Sarubbo from comment #4)
> Maintainer(s), please cleanup.

13:52 < irker856> gentoo-x86: jmbsvicetto www-apps/dokuwiki: Drop old vulnerable versions

Done
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-12-28 19:06:54 UTC 
@Security, do we produce glsa for XSS? AFAIR, no.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-12-29 22:07:59 UTC 
CVE-2014-9253 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9253):
  The default file type whitelist configuration in conf/mime.conf in the Media
  Manager in DokuWiki before 2014-09-29b allows remote attackers to execute
  arbitrary web script or HTML by uploading an SWF file, then accessing it via
  the media parameter to lib/exe/fetch.php.
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-29 22:08:46 UTC 
(In reply to Mikle Kolyada from comment #6)
> @Security, do we produce glsa for XSS? AFAIR, no.

Nope, we don't even give it a vote. 

Closing noglsa for XSS only.