| Summary: | dokuwiki new XSS security issue fixed upstream in 2014-09-29d | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, dpremy, sysadmin-bugs, tarakbumba, warrendiogenese |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/638443/ | ||
| Whiteboard: | MGA4-64-OK MGA4-32-OK advisory | ||
| Source RPM: | dokuwiki-20140929-1.3.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-03-20 18:15:33 CET
David Walser
2015-03-20 18:15:42 CET
CC:
(none) =>
tarakbumba Thank you David for this advisory, again. :) Tested on mga4 32bit Installed dokuwiki-20140929-1.3.mga4 and received the warning of the upgrade. Worked as expected creating and modifying files. Hotfix release available: 2014-09-29d "Hrun". upgrade now! [46.4] Installed dokuwiki-20140929-1.4.mga4 but I am still receiving the message, restarted httpd and it is still there. Unsure what I am doing wrong but http://localhost/dokuwiki/doku.php?do=check shows it still needs the update as well. CC:
(none) =>
dpremy David, it does that. To remove those message you need to delete /var/lib/dokuwiki/cache/messages.txt
If you turn on LDAP debugging, it shows notifications at the bottom of the page that never go away and I have yet to find where that information is stored...
Tested on mga4 64bit and 32bit.
Made a futile attempt to demonstrate the exploit with no success.
Using LDAP authentication turns off user management in Dokuwiki, so used ACLs only.
Steps taken:
* Created a registered user.
* Logged in as that user, changed and saved the user name as: alert('exploited');
* Logged out as that user and logged in as administrator.
* Openned up User Management and clicked that user for editing.
Result: Trailing ';' had been removed from the user name after saving. Nothing else happened.
Another attempt:
* Logged in as that user, changed and saved the user name as: <script>alert('exploited');</script>
* Logged out as that user and logged in as administrator.
* Openned up User Management and clicked that user for editing.
Result: Angle brackets had been stripped from the user name, along with the trailing ';'. No javascript execution.
Ok, one last try:
* Edit user as administrator and changed and saved the users name to <script>alert('exploited');</script>
* This time angle brackets remained. Clicked on the user to edit user settings, but no javascript was executed.
Updated to dokuwiki-20140929-1.4.mga4 on both 32 and 64 bit release, then added new pages and users and everything works as expected.
------------------------------------------
Update validated.
Thanks.
Advisory:
Possibly pending.
SRPM: dokuwiki-20140929-1.4.mga4.src.rpm
Could sysadmin please push from core/updates_testing to core/updates.
Thank you!
------------------------------------------Keywords:
(none) =>
validated_update
Dave Hodgins
2015-03-27 17:05:53 CET
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0118.html Status:
NEW =>
RESOLVED
David Walser
2015-03-30 15:27:33 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/638443/ |