Upstream has issued another hotfix release: https://www.dokuwiki.org/changes#release_2014-09-29d_hrun Atilla has already packaged the update and updated packages are uploaded for Mageia 4 and Cauldron. Thanks Atilla! I haven't seen a CVE request for this issue. Advisory: ======================== Updated dokuwiki package fixes security vulnerability: DokuWiki before 20140929d is vulnerable to a cross-site scripting (XSS) issue in the user manager. The user's details were not properly escaped in the user manager's edit form. This allows a registered user to edit her own name (using the change profile option) to include malicious JavaScript code. The code is executed when a super user tries to edit the user via the user manager. References: https://github.com/splitbrain/dokuwiki/issues/1081 https://www.dokuwiki.org/changes#release_2014-09-29d_hrun ======================== Updated packages in core/updates_testing: ======================== dokuwiki-20140929-1.4.mga4 from dokuwiki-20140929-1.4.mga4.src.rpm Reproducible: Steps to Reproduce:
CC: (none) => tarakbumba
Thank you David for this advisory, again. :)
Tested on mga4 32bit Installed dokuwiki-20140929-1.3.mga4 and received the warning of the upgrade. Worked as expected creating and modifying files. Hotfix release available: 2014-09-29d "Hrun". upgrade now! [46.4] Installed dokuwiki-20140929-1.4.mga4 but I am still receiving the message, restarted httpd and it is still there. Unsure what I am doing wrong but http://localhost/dokuwiki/doku.php?do=check shows it still needs the update as well.
CC: (none) => dpremy
David, it does that. To remove those message you need to delete /var/lib/dokuwiki/cache/messages.txt If you turn on LDAP debugging, it shows notifications at the bottom of the page that never go away and I have yet to find where that information is stored... Tested on mga4 64bit and 32bit. Made a futile attempt to demonstrate the exploit with no success. Using LDAP authentication turns off user management in Dokuwiki, so used ACLs only. Steps taken: * Created a registered user. * Logged in as that user, changed and saved the user name as: alert('exploited'); * Logged out as that user and logged in as administrator. * Openned up User Management and clicked that user for editing. Result: Trailing ';' had been removed from the user name after saving. Nothing else happened. Another attempt: * Logged in as that user, changed and saved the user name as: <script>alert('exploited');</script> * Logged out as that user and logged in as administrator. * Openned up User Management and clicked that user for editing. Result: Angle brackets had been stripped from the user name, along with the trailing ';'. No javascript execution. Ok, one last try: * Edit user as administrator and changed and saved the users name to <script>alert('exploited');</script> * This time angle brackets remained. Clicked on the user to edit user settings, but no javascript was executed. Updated to dokuwiki-20140929-1.4.mga4 on both 32 and 64 bit release, then added new pages and users and everything works as expected. ------------------------------------------ Update validated. Thanks. Advisory: Possibly pending. SRPM: dokuwiki-20140929-1.4.mga4.src.rpm Could sysadmin please push from core/updates_testing to core/updates. Thank you! ------------------------------------------
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs, warrendiogeneseWhiteboard: (none) => MGA4-64-OK MGA4-32-OK
Advisory is in Comment 0.
CC: (none) => davidwhodginsWhiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0118.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/638443/