Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 109858 - www-apps/tikiwiki XSS vulnerability
Summary: www-apps/tikiwiki XSS vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-10-19 14:35 UTC by Michael Davey
Modified: 2005-10-28 04:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Davey 2005-10-19 14:35:46 UTC
A new release of TikiWiki is now available on SourceForge.net: version 1.9.1.1
for the 1.9 -Sirius- branch.

This maintainance release includes fixes for a recently identified security flaw.


Reproducible: Always
Steps to Reproduce:
1.
2.
3.




1.9.1.1 is available as a patch tarball to be applied over version 1.9.1 and as
a complete distribution.

Additionally, the Tiki community have recently marked the 1.9 branch as stable
and fit for production use, thus 1.9.1.1 should ideally be the default
(unmasked) target for an emerge of the tikiwiki package.

If you need any assistance preparing or testing the ebuild, please do drop in on
<irc://irc.freenode.net/#tikiwiki> and ask - we are a friendly bunch ;)
Comment 1 Michael Davey 2005-10-19 14:43:27 UTC
<http://tikiwiki.org/art118> for more information
<http://tikiwiki.org/Download> for files download
Comment 2 Michael Davey 2005-10-19 14:45:15 UTC
Reassigning to webapps team.  Please email security@tikiwiki.org if you need
further security information.

Cheers,
-- 
Michael
a TikiWiki developer
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2005-10-19 22:39:36 UTC
URL removed. Information from changelog:  
  
Version 1.9.1.1  
* [FIX] Fixed an XSS-vulnerability  
* [MOD] Improved Tiki Security Admin  
* [FIX] tweaks to fixperms.sh, /img/tracker included 
 
www-apps please bump. 
Comment 4 Renat Lumpau (RETIRED) gentoo-dev 2005-10-23 08:41:21 UTC
Bumped.

Apologies for the delay, had to sort out my PHP installation.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-10-23 11:46:12 UTC
ppc: please test and mark stable
Comment 6 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-10-24 12:54:08 UTC
Stable on ppc.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-10-24 14:07:06 UTC
Ready for GLSa vote
Comment 8 Stefan Cornelius (RETIRED) gentoo-dev 2005-10-24 23:38:26 UTC
When running a wiki, one should be aware that they tend to be a bit insecure,
and since this is only a XSS, i'd say no.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-10-25 00:53:50 UTC
I vote yes for XSS issues on internet-facing websites, and wikis are.
Comment 10 Tavis Ormandy (RETIRED) gentoo-dev 2005-10-25 06:03:39 UTC
I would agree with DerCorny, voting NO.
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2005-10-25 13:02:20 UTC
I vote YES, we did several previous GLSAs on these types of issues with these 
types of web apps or similar (webmail, groupware). 
 
Let the vote continue:-) 
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-10-26 01:29:23 UTC
Beh, everyone active voted. Let's say two yes win over two no's :)
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-10-28 04:46:01 UTC
GLSA 200510-23