Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 412891 (CVE-2012-2129) - <www-apps/dokuwiki-20110525a: "target" Cross-Site Scripting Vulnerability (CVE-2012-{2128,2129})
Summary: <www-apps/dokuwiki-20110525a: "target" Cross-Site Scripting Vulnerability (CV...
Status: RESOLVED FIXED
Alias: CVE-2012-2129
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/48848/
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-04-21 09:45 UTC by Agostino Sarubbo
Modified: 2013-01-09 00:54 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-04-21 09:45:35 UTC
From secunia:

Description
Khashayar Fereidani has discovered a vulnerability in DocuWiki, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed via the "target" parameter to doku.php (when "do" is set to "edit") is not properly sanitised in inc/html.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability is confirmed in version 2012-01-25. Other versions may also be affected.


Solution
Edit the source code to ensure that input is properly sanitised(unpatched).
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-09-08 15:38:32 UTC
CVE-2012-2129 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2129):
  Cross-site scripting (XSS) vulnerability in doku.php in DokuWiki 2012-01-25
  Angua allows remote attackers to inject arbitrary web script or HTML via the
  target parameter in an edit action.

CVE-2012-2128 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2128):
  ** DISPUTED **  Cross-site request forgery (CSRF) vulnerability in doku.php
  in DokuWiki 2012-01-25 Angua allows remote attackers to hijack the
  authentication of administrators for requests that add arbitrary users. 
  NOTE: this issue has been disputed by the vendor, who states that it is
  resultant from CVE-2012-2129: "the exploit code simply uses the XSS hole to
  extract a valid CSRF token."
Comment 2 Lance Albertson (RETIRED) gentoo-dev 2012-12-24 18:05:14 UTC
FWIW I just bumped dokuwiki to 20121013. Feel free to mark stable after tests have checked it out. Not sure if that version has the fix in it or not.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-01-09 00:54:42 UTC
This issue was resolved and addressed in
 GLSA 201301-07 at http://security.gentoo.org/glsa/glsa-201301-07.xml
by GLSA coordinator Stefan Behte (craig).