Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 153820

Summary: www-apps/tikiwiki: mysql password disclosure & xss
Product: Gentoo Security Reporter: Matthias Geerdsen (RETIRED) <vorlon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://archives.neohapsis.com/archives/bugtraq/2006-11/0014.html
Whiteboard: B3/4 [glsa] vorlon
Package list:
Runtime testing required: ---

Description Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-02 07:54:40 UTC 
<quote>
/*==========================================*/
//tikiwiki version 1.9.5 (CVS) -Sirius-  (PoC)
// Product: Tikiwiki 
// URL: http://tikiwiki.org/
// RISK: critical
/*==========================================*/




there's a critical security bug in tikiwiki version 1.9.5 (CVS) -Sirius-
a anonymous user , can dump the mysql user & passwd just by creating a mysql error with the "sort_mode" var , with those following links :
</quote>
<quote>

there's also a xss here :
/tiki-featured_link.php?type=f&url=" ></iframe><scr</script>ipt>alert('XSS')</scri</script>pt> <!--

</quote>
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-02 07:57:31 UTC 
http://dev.tikiwiki.org/tiki-view_tracker_item.php?itemId=927&trackerId=5

- fixed for 1.9 CVS
- xss vulnerability fixed

merge into 1.10 on the way
Comment 2 Renat Lumpau (RETIRED) gentoo-dev 2006-11-07 20:08:53 UTC 
1.9.6 in CVS, needs ppc lovin'
Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev 2006-11-07 23:40:12 UTC 
ppc stable, this one's ready for GLSA decision.
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-09 14:51:56 UTC 
security please vote
Comment 5 Wolf Giesen (RETIRED) gentoo-dev 2006-11-10 06:11:26 UTC 
Hm, I would not want my users know my database credentials. I know some bigger organizations that use Tikiwiki for their Intranets, so I guess I'll say "yes" here.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-10 09:34:36 UTC 
Voting YES. Let's have GLSA on this one.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-20 11:47:47 UTC 
GLSA 200611-11