Bug 6166

Summary: dokuwiki new security issues CVE-2012-0283, CVE-2012-2128, CVE-2012-2129
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: davidwhodgins, dmorganec, mageia, rod.emerson, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/499173/
See Also: https://bugs.mageia.org/show_bug.cgi?id=6480
Whiteboard: MGA2-32-OK MGA2-64-OK
Source RPM: dokuwiki-20110525-2.mga2.src.rpm CVE:
Status comment:

Description David Walser 2012-05-29 23:40:42 CEST 
Fedora has issued an advisory on April 26:
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081284.html

Cauldron will need updated as well.
David Walser 2012-06-14 21:39:53 CEST

CC: (none) => mageia
Version: 2 => Cauldron
Whiteboard: (none) => MGA2TOO

Comment 1 David Walser 2012-06-14 21:40:47 CEST 
An update is needed for Mageia 2.  The version in Cauldron *is* vulnerable too.
David Walser 2012-06-14 21:41:06 CEST

CC: (none) => dmorganec

Comment 2 Rod Emerson 2012-06-16 11:43:08 CEST 
See https://bugs.mageia.org/show_bug.cgi?id=6480

CC: (none) => rod

Rod Emerson 2012-06-16 11:44:36 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=6480

Comment 3 David Walser 2012-06-17 11:33:05 CEST 
As pointed out on Bug 6480, Cauldron is fixed.  Updating to the same version for Mageia 2 would be sufficient.
David Walser 2012-06-17 11:34:03 CEST

Version: Cauldron => 2
Whiteboard: MGA2TOO => (none)

Comment 4 Rod Emerson 2012-06-17 12:05:40 CEST 
(In reply to comment #3)
> As pointed out on Bug 6480, Cauldron is fixed.


I see Cauldron does indeed have dokuwiki-2012-01-25a.tgz,
one new thing I saw with 2012-01-25a was httpd error_log
entries when accessing the Admin page :

File does not exist: /var/www/dokuwiki/data, referer: http://mga2/dokuwiki/doku.php?id=start&do=admin

This wants to put a padlock image in the top right of the page via :

  <a style="border:none; float:right;"
            href="http://www.dokuwiki.org/security#web_access_security">
            <img src="data/security.png" alt="Your data directory seems to be protected properly."
             onerror="this.parentNode.style.display='none'" /></a>


That is the reason for the additional symlink in the SPEC mods seen in bug 6480 :

+(cd %{buildroot}%{_var}/www/%{name} && ln -sf ../../..%{_datadir}/%{name}/lib/plugins/config/images data)

With the symlink in place the img is seen, clicking this padlock
image leads to http://www.dokuwiki.org/security#web_access_security
for an explaination of what the padlock or other images mean.
Comment 5 David Walser 2012-07-06 17:22:04 CEST 
There is also CVE-2012-3354, not sure what version it's fixed in:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3354

Summary: dokuwiki new security issues CVE-2012-2128 and CVE-2012-2129 => dokuwiki new security issues CVE-2012-2128, CVE-2012-2129, and CVE-2012-3354

Comment 6 David Walser 2012-07-14 04:37:19 CEST 
Now 2012-01-25b has been released fixing CVE-2012-0283, also known as SA49196.

http://www.securelist.com/en/advisories/49196

Version: 2 => Cauldron
Summary: dokuwiki new security issues CVE-2012-2128, CVE-2012-2129, and CVE-2012-3354 => dokuwiki new security issues CVE-2012-0283, CVE-2012-2128, CVE-2012-2129, and CVE-2012-3354
Whiteboard: (none) => MGA2TOO

Comment 7 David Walser 2012-08-08 18:42:21 CEST 
Updated package uploaded for Mageia 2 and Cauldron.

CVE-2012-3354 has not been fixed, but it is unimportant and should not affect production systems (only systems with a PHP configuration appropriate for development machines are vulnerable).

PoC for 2128/2129 is on https://bugzilla.redhat.com/show_bug.cgi?id=815122

Advisory:
========================

Updated dokuwiki package fixes security vulnerabilities:

Cross-site scripting (XSS) vulnerability in the tpl_mediaFileList
function in inc/template.php in DokuWiki before 2012-01-25b allows remote
attackers to inject arbitrary web script or HTML via the ns parameter in a
medialist action to lib/exe/ajax.php (SA49196, CVE-2012-0283).

A cross-site scripting (XSS) and cross-site request forgery (CSRF) flaws
were found in the way DokuWiki, a standards compliant, simple to use Wiki,
performed sanitization of the 'target' parameter when preprocessing edit
form data. A remote attacker could provide a specially-crafted URL, which
once visited by a valid DokuWiki user would lead to arbitrary HTML or web
script execution in the context of logged in DokuWiki user (SA48848,
CVE-2012-2128, CVE-2012-2129).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0283
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2128
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2129
https://secunia.com/advisories/48848/
http://www.securelist.com/en/advisories/49196
https://www.dokuwiki.org/changes
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081284.html
========================

Updated packages in core/updates_testing:
========================
dokuwiki-20120125-1.mga2

from dokuwiki-20120125-1.mga2.src.rpm

Version: Cauldron => 2
Assignee: bugsquad => qa-bugs
Summary: dokuwiki new security issues CVE-2012-0283, CVE-2012-2128, CVE-2012-2129, and CVE-2012-3354 => dokuwiki new security issues CVE-2012-0283, CVE-2012-2128, CVE-2012-2129
Whiteboard: MGA2TOO => (none)

David Walser 2012-08-08 22:42:36 CEST

Severity: normal => major

Comment 8 Dave Hodgins 2012-08-09 02:29:24 CEST 
I'll be testing Mageia 2 i586 shortly.

CC: (none) => davidwhodgins

Comment 9 Dave Hodgins 2012-08-09 02:44:04 CEST 
Trying http://127.0.0.1/doku.php?do=edit&id=S9F8W2A&target=<script>alert(123)</script>
with the core release version, I'm just getting a 404, page not found.

I'll install the update, and just confirm it's working.
Comment 10 Dave Hodgins 2012-08-09 03:05:29 CEST 
I did figure out it should be
http://127.0.0.1/dokuwiki/doku.php?do=edit&id=S9F8W2A&target=<script>alert(123)</script>

Doesn't work in chromium-browser, but does with firefox and opera.

The update does fix the problem.

Testing complete on Mageia 2 i586 and x86-64.

Could someone from the sysadmin team push the srpm
dokuwiki-20120125-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated dokuwiki package fixes security vulnerabilities:

Cross-site scripting (XSS) vulnerability in the tpl_mediaFileList
function in inc/template.php in DokuWiki before 2012-01-25b allows remote
attackers to inject arbitrary web script or HTML via the ns parameter in a
medialist action to lib/exe/ajax.php (SA49196, CVE-2012-0283).

A cross-site scripting (XSS) and cross-site request forgery (CSRF) flaws
were found in the way DokuWiki, a standards compliant, simple to use Wiki,
performed sanitization of the 'target' parameter when preprocessing edit
form data. A remote attacker could provide a specially-crafted URL, which
once visited by a valid DokuWiki user would lead to arbitrary HTML or web
script execution in the context of logged in DokuWiki user (SA48848,
CVE-2012-2128, CVE-2012-2129).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0283
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2128
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2129
https://secunia.com/advisories/48848/
http://www.securelist.com/en/advisories/49196
https://www.dokuwiki.org/changes
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081284.html

https://bugs.mageia.org/show_bug.cgi?id=6166

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA2-32-OK MGA2-64-OK

Comment 11 Thomas Backlund 2012-08-12 20:08:20 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0207

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED