-----BEGIN PGP SIGNED MESSAGE-----
STG Security Advisory: [SSA-20041122-12] Zwiki XSS vulnerability
Date Published: 2004-11-22 (KST)
Last Update: 2004-11-22
Disclosed by SSR Team (firstname.lastname@example.org)
Zwiki is a wiki clone in zope. It has a cross site scripting vulnerability.
Implementation Error: Input validation flaw
Due to an input validation flaw, the Zwiki is vulnerable to cross site
proof of concept
Medium: Malicious attackers can inject and execute arbitrary script code in
a user's browser session in context of an affected site.
There is no known workaround at this time.
Zwiki 0.36.2 and prior
Vendor Status: NOT FIXED
2004-10-01 Vulnerability found.
2004-10-01 Zwiki developer notified.
2004-11-22 Official release.
Jeremy Bae at STG Security
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
-----END PGP SIGNATURE-----
0.37 is due out 12/01/04. Setting status to [upstream] until this release.
lists a proposed patch:
Fix -- Fri, 26 Nov 2004 01:20:53 -0800 reply
Here's the fix, to be applied to the file in the ZWiki product on disk, and in any instances of this standard_error_message that exist in your ZODB.:
--- standard_error_message.dtml.original Fri Nov 26 09:17:22 2004
+++ standard_error_message.dtml Fri Nov 26 09:17:55 2004
@@ -29,7 +29,7 @@
I could not find any likely page matching
- "<b><dtml-var "here.urlunquote(searchexpr)"></b>"
+ "<b><dtml-var "here.urlunquote(searchexpr)" html_quote></b>"
Click here to
according to http://zwiki.org/925ZwikiXSSVulnerabilityemail@example.com the patch mentioned in comment #2 is going into 0.37
the zwiki repository already includes it, see http://zwiki.org/repos/ZWiki/content/basic/standard_error_message.dtml
and for the diff: http://zwiki.org/cgi-bin/darcs?ZWiki**20041130080308-e02d6-1004ac472bd9fb2924af6ec6ca708b33c5e18f6b.gz
net-zope: since 0.37 is overdue already, you should consider adding this relatively simple patch into a new revision
net-zope, this bug is open for quite a while now, pls comment
revision bump to 0.36.2, checked in ~x86
This issue is not fixed in 0.36.2.
net-zope, please either apply patch or wait for 0.37 which is coming out "any day now".
we'll wait for the new release
fixed as version 0.36.2-r1.
will be marked stable in a few hours, please report back in case of problems.
Thanks Radoslaw :)
(note: only needs x86 stable marking, otherwise it's just ~ppc and didn't have a stable version there before)
commited into portage as stable x86.
Not FIXED until glsa is released...
security, pls vote on GLSA
Hmm... I would tend to say "yes", as zwiki in a CMS, like wordpress or others we've issues advisories for.
Initially I would tend to say no, but with Koon's arguments I tend to say yes.
that's three times a "yes" -> GLSA