Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 136723

Summary: www-apps/tikiwiki: <1.9.3.4 SQL injection and multiple XSS (CVE-2006-2635)
Product: Gentoo Security Reporter: Raphael Marichez (Falco) (RETIRED) <falco>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/lists/bugtraq/2006/Jun/0345.html
Whiteboard: B3 [glsa] Falco
Package list:
Runtime testing required: ---

Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-13 16:56:46 UTC
(confirmed on the TikiWiki changelog webpage : "This release mainly enhances security with more protection and introduces various enhancements. It includes the security fixes in Tiki 1.9.3.2" http://sourceforge.net/forum/forum.php?forum_id=578094 )



----------------------------------------------------------------
[#] Security Advisory
[^] http://securitynews.ir/

[>] Advisory Title: TikiWiki Sql injection & XSS Vulnerabilities
[@] Author : bug [@] securitynews.ir
[$] Product Vendor : http://tikiwiki.org/
[.] Affected Versions : 1.9.3.2 (and maybe before)
[/] Release Date : 06/13/2006
----------------------------------------------------------------
[*] Overview :
Tikiwiki is a very powerful multilingual Wiki/CMS/Groupware, but
it has some security bugs too .
One sql injection and several cross-site scripting bugs have
been found in tikiwiki 1.9.3.2 (and tested in 1.9.3.1) .

[*] Details :
No exploitable detail is going to be released .

[*] Solution :
Vendor contacted on 06/09/2006 and they have been released a new
version (tikiwiki 1.9.4) :
http://sourceforge.net/project/showfiles.php?group_id=64258

------------------------------
http://securitynews.ir/
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-13 16:58:00 UTC
Hello web-apps, please work again on tikiwiki :/

1.9.3.4 is out and corrects the SQL injection vulnerability and XSS issues.

Thanks in advance
Comment 2 Renat Lumpau (RETIRED) gentoo-dev 2006-06-17 17:27:38 UTC
1.9.4 in CVS
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-17 17:33:08 UTC
Thanks rl03

ppc team, please test and mark stable, thank you
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2006-06-25 00:37:39 UTC
ppc stable
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2006-06-25 10:14:52 UTC
I would vote yes.
Comment 6 Wolf Giesen (RETIRED) gentoo-dev 2006-06-25 10:20:15 UTC
Yes. (/sigh)
Comment 7 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-25 11:00:13 UTC
because of sql injection, (and not because of the xss issue), i vote yes.

GLSA will have to be combined with bug 134483

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-28 23:08:51 UTC
GLSA 200606-29