Summary: | <www-apps/dokuwiki-20110525a: "target" Cross-Site Scripting Vulnerability (CVE-2012-{2128,2129}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ramereth, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/48848/ | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2012-04-21 09:45:35 UTC
CVE-2012-2129 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2129): Cross-site scripting (XSS) vulnerability in doku.php in DokuWiki 2012-01-25 Angua allows remote attackers to inject arbitrary web script or HTML via the target parameter in an edit action. CVE-2012-2128 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2128): ** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in doku.php in DokuWiki 2012-01-25 Angua allows remote attackers to hijack the authentication of administrators for requests that add arbitrary users. NOTE: this issue has been disputed by the vendor, who states that it is resultant from CVE-2012-2129: "the exploit code simply uses the XSS hole to extract a valid CSRF token." FWIW I just bumped dokuwiki to 20121013. Feel free to mark stable after tests have checked it out. Not sure if that version has the fix in it or not. This issue was resolved and addressed in GLSA 201301-07 at http://security.gentoo.org/glsa/glsa-201301-07.xml by GLSA coordinator Stefan Behte (craig). |