Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 134483 - www-apps/tikiwiki: < multiple XSS (CVE-2006-2635)
Summary: www-apps/tikiwiki: < multiple XSS (CVE-2006-2635)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa] Falco
: 136108 (view as bug list)
Depends on:
Reported: 2006-05-27 02:02 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2006-06-28 23:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-27 02:02:25 UTC
Multiple XSS Vulnerabilities in Tikiwiki 1.9.x
Discovered by Blwood
** Public **


** Admin **
In all pages the source will be :
<meta name="keywords" content=""><script>alert('Blwood')</script>" />
The code will be executed in every pages !
Exploit :
(i don't paste all code)
Comment 1 Stuart Herbert (RETIRED) gentoo-dev 2006-05-31 00:28:09 UTC

Hrm ... none of those links work at all :(  I'll have to get tikiwiki setup locally to try and reproduce this problem.

I'll also have a poke around UPSTREAM's cvs repos to see if they've added any unreleased fixes.

Best regards,
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-31 01:51:36 UTC
Thanks Stuart;

assigning to "Auditing" then, in order to know if we are vulnerable or not.
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2006-06-08 20:20:43 UTC
*** Bug 136108 has been marked as a duplicate of this bug. ***
Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-09 03:01:54 UTC
Handling the tikiwiki issue on this bug. is out now.
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-09 03:10:07 UTC
adding CVE ref
Comment 6 Renat Lumpau (RETIRED) gentoo-dev 2006-06-09 14:16:13 UTC
in CVS
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-09 23:29:41 UTC
ppc please test and mark stable.
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2006-06-10 01:06:35 UTC
ppc stable.
old vulnerable ebuild removed.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-10 04:22:33 UTC
I tend to vote NO.
Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-11 14:16:47 UTC
We had already issue GLSA 200510-23 concerning a TikiWiki XSS.
Should we follow the history or change it ?
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2006-06-13 13:26:35 UTC
I usually tend to vote yes for XSS in wikis... but only if you can actually post things with active code in it, not just follow lame links. So I vote NO.
Comment 12 Wolf Giesen (RETIRED) gentoo-dev 2006-06-13 13:47:33 UTC
In my understanding you can inject arbitrary JavaScript. If that is true I vote YES.
Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-13 17:00:00 UTC
Voting No and closing. Feel free to reopen if you disagree.

Furthermore, another security update ( has just been issued, see bug 136723, which is probably a little bit more serious (SQL injection and XSS).
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-14 09:41:55 UTC
Reopening to be included with bug #136723.
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-28 23:08:47 UTC
GLSA 200606-29