Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 72315

Summary: net-zope/zwiki: XSS vulnerability
Product: Gentoo Security Reporter: Luke Macken (RETIRED) <lewk>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: net-zope+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B4 [glsa] lewk
Package list:
Runtime testing required: ---

Description Luke Macken (RETIRED) gentoo-dev 2004-11-23 22:58:41 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

STG Security Advisory: [SSA-20041122-12] Zwiki XSS vulnerability

Revision 1.1
Date Published: 2004-11-22 (KST)
Last Update: 2004-11-22
Disclosed by SSR Team (advisory@stgsecurity.com)

Summary
========
Zwiki is a wiki clone in zope. It has a cross site scripting vulnerability.

Vulnerability Class
===================
Implementation Error: Input validation flaw

Details
=======
Due to an input validation flaw, the Zwiki is vulnerable to cross site
scripting attacks.

cf. http://zwiki.org/925ZwikiXSSVulnerability

proof of concept
http://[victim]/<img src=javascript:alert('hi')>

Impact
======
Medium: Malicious attackers can inject and execute arbitrary script code in
a user's browser session in context of an affected site.

Workaround
==========
There is no known workaround at this time.

Affected Products
================
Zwiki 0.36.2 and prior

Vendor Status: NOT FIXED
=======================
2004-10-01 Vulnerability found.
2004-10-01 Zwiki developer notified.
2004-11-22 Official release.

Credits
======
Jeremy Bae at STG Security

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBQaP4tT9dVHd/hpsuEQJBogCg3Nbwv9aZ2ZDmQS4z17f2w8ogGukAnAoD
Gbj1Yf87gJVSiLb+g/ky60tJ
=ppK5
-----END PGP SIGNATURE-----
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-11-23 23:04:06 UTC 
0.37 is due out 12/01/04.  Setting status to [upstream] until this release.
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2004-11-29 06:16:45 UTC 
http://zwiki.org/925ZwikiXSSVulnerability#msg20041126012053-0800@zwiki.org

lists a proposed patch:

Fix -- Fri, 26 Nov 2004 01:20:53 -0800 reply
Here's the fix, to be applied to the file in the ZWiki product on disk, and in any instances of this standard_error_message that exist in your ZODB.:

 --- standard_error_message.dtml.original        Fri Nov 26 09:17:22 2004
 +++ standard_error_message.dtml Fri Nov 26 09:17:55 2004
 @@ -29,7 +29,7 @@
    <body>
      <p>
        I could not find any likely page matching 
 -      "<b><dtml-var "here.urlunquote(searchexpr)"></b>"
 +      "<b><dtml-var "here.urlunquote(searchexpr)" html_quote></b>"
      </p>
      <p>
        Click here to 

cheers,

Chris
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-12 11:58:30 UTC 
according to http://zwiki.org/925ZwikiXSSVulnerability#msg20041126012053-0800@zwiki.org the patch mentioned in comment #2 is going into 0.37

the zwiki repository already includes it, see http://zwiki.org/repos/ZWiki/content/basic/standard_error_message.dtml
and for the diff: http://zwiki.org/cgi-bin/darcs?ZWiki**20041130080308-e02d6-1004ac472bd9fb2924af6ec6ca708b33c5e18f6b.gz


net-zope: since 0.37 is overdue already, you should consider adding this relatively simple patch into a new revision
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-18 14:08:06 UTC 
net-zope, this bug is open for quite a while now, pls comment
Comment 5 Jodok Batlogg (RETIRED) gentoo-dev 2004-12-18 14:22:58 UTC 
revision bump to 0.36.2, checked in ~x86
Comment 6 Luke Macken (RETIRED) gentoo-dev 2004-12-18 16:14:57 UTC 
This issue is not fixed in 0.36.2.

net-zope, please either apply patch or wait for 0.37 which is coming out "any day now".
Comment 7 Jodok Batlogg (RETIRED) gentoo-dev 2004-12-19 09:01:14 UTC 
we'll wait for the new release
Comment 8 Radoslaw Stachowiak (RETIRED) gentoo-dev 2004-12-20 07:58:37 UTC 
fixed as version 0.36.2-r1.
will be marked stable in a few hours, please report back in case of problems.
Comment 9 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-20 09:45:48 UTC 
Thanks Radoslaw :)

(note: only needs x86 stable marking, otherwise it's just ~ppc and didn't have a stable version there before)
Comment 10 Radoslaw Stachowiak (RETIRED) gentoo-dev 2004-12-20 23:51:10 UTC 
commited into portage as stable x86.
Comment 11 Chris White (RETIRED) gentoo-dev 2004-12-21 00:02:44 UTC 
Not FIXED until glsa is released...
Comment 12 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-21 00:31:09 UTC 
security, pls vote on GLSA
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-12-21 01:20:06 UTC 
Hmm... I would tend to say "yes", as zwiki in a CMS, like wordpress or others we've issues advisories for.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-21 03:34:22 UTC 
Initially I would tend to say no, but with Koon's arguments I tend to say yes.
Comment 15 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-21 08:05:23 UTC 
agreed

that's three times a "yes" -> GLSA
Comment 16 Luke Macken (RETIRED) gentoo-dev 2004-12-21 15:31:02 UTC 
GLSA 200412-23