Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 145714 - www-apps/tikiwiki: 1.9.4 Arbitrary command execution and XSS (CVE-2006-{4299|4602})
Summary: www-apps/tikiwiki: 1.9.4 Arbitrary command execution and XSS (CVE-2006-{4299|...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1? [glsa+] Falco
Depends on:
Reported: 2006-08-31 07:54 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2006-09-26 09:22 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-31 07:54:49 UTC
"Cross-site scripting (XSS) vulnerability in tiki-searchindex.php in TikiWiki 1.9.4 allows remote attackers to inject arbitrary web script or HTML via the highlight parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information."

waiting for any update
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-09-08 05:38:00 UTC

1.9.4 is affected.
Comment 2 Renat Lumpau (RETIRED) gentoo-dev 2006-09-11 20:41:54 UTC
should be fixed in -r2
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-14 03:17:08 UTC
Renat, does 1.9.5 fix this issue ? please comment on the bug next time.

1.9.5 fixes this and has been committed:

12 Sep 2006; Renat Lumpau <> +tikiwiki-1.9.5.ebuild:
Comment 4 Renat Lumpau (RETIRED) gentoo-dev 2006-09-14 05:21:35 UTC
sorry folks, that's what i had intended with comment #2 , except not -r2 but 1.9.5 . i'll be more careful next time
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-14 07:01:54 UTC
Thx Renat and sorry for the confusion.

PPC please test and mark stable. Target keywords are:

tikiwiki-1.9.5.ebuild:KEYWORDS="~amd64 ppc ~sparc ~x86"
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2006-09-15 11:34:08 UTC
ppc stable
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-15 11:56:19 UTC
I tend to vote NO.
Comment 8 Wolf Giesen (RETIRED) gentoo-dev 2006-09-15 12:32:16 UTC
Hm, since it seems to be on the same level as the recent DokuWiki vulnerability I'd say it's more B1 than enything else?!
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-15 23:47:58 UTC
This has nothing to do with the recent DokuWiki vulnerability. This one allows injection of web script (javascript) in the context of the victims browswer.
Comment 10 Wolf Giesen (RETIRED) gentoo-dev 2006-09-19 01:35:16 UTC
Maybe I was mislead by Falco's link ... ehr <swirl> ... if we're still talking 1.9.4 ... isn't that one valid?
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-19 02:06:35 UTC
No I was mislead by an outdated Summary/Status.

/me blames falco.

Lets have the GLSA.
Comment 12 Tavis Ormandy (RETIRED) gentoo-dev 2006-09-19 05:40:52 UTC
I would vote YES.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-25 11:07:56 UTC
GLSA drafted, security please review.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-26 09:22:16 UTC
GLSA 200609-16