Bug 15539 - dokuwiki new XSS security issue fixed upstream in 2014-09-29d
Summary: dokuwiki new XSS security issue fixed upstream in 2014-09-29d
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/638443/
Whiteboard: MGA4-64-OK MGA4-32-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-03-20 18:15 CET by David Walser
Modified: 2015-03-30 15:27 CEST (History)
5 users (show)

See Also:
Source RPM: dokuwiki-20140929-1.3.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-03-20 18:15:33 CET
Upstream has issued another hotfix release:
https://www.dokuwiki.org/changes#release_2014-09-29d_hrun

Atilla has already packaged the update and updated packages are uploaded for Mageia 4 and Cauldron.  Thanks Atilla!

I haven't seen a CVE request for this issue.

Advisory:
========================

Updated dokuwiki package fixes security vulnerability:

DokuWiki before 20140929d is vulnerable to a cross-site scripting (XSS) issue
in the user manager. The user's details were not properly escaped in the user
manager's edit form. This allows a registered user to edit her own name
(using the change profile option) to include malicious JavaScript code. The
code is executed when a super user tries to edit the user via the user
manager.

References:
https://github.com/splitbrain/dokuwiki/issues/1081
https://www.dokuwiki.org/changes#release_2014-09-29d_hrun
========================

Updated packages in core/updates_testing:
========================
dokuwiki-20140929-1.4.mga4

from dokuwiki-20140929-1.4.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2015-03-20 18:15:42 CET

CC: (none) => tarakbumba

Comment 1 Atilla ÖNTAŞ 2015-03-20 23:24:07 CET
Thank you David for this advisory, again. :)
Comment 2 David Remy 2015-03-27 04:47:49 CET
Tested on mga4 32bit

Installed dokuwiki-20140929-1.3.mga4 and received the warning of the upgrade. Worked as expected creating and modifying files.

Hotfix release available: 2014-09-29d "Hrun". upgrade now! [46.4]

Installed dokuwiki-20140929-1.4.mga4 but I am still receiving the message, restarted httpd and it is still there. Unsure what I am doing wrong but http://localhost/dokuwiki/doku.php?do=check shows it still needs the update as well.

CC: (none) => dpremy

Comment 3 William Murphy 2015-03-27 07:42:43 CET
David, it does that. To remove those message you need to delete /var/lib/dokuwiki/cache/messages.txt

If you turn on LDAP debugging, it shows notifications at the bottom of the page that never go away and I have yet to find where that information is stored...

Tested on mga4 64bit and 32bit.

Made a futile attempt to demonstrate the exploit with no success.
Using LDAP authentication turns off user management in Dokuwiki, so used ACLs only.

Steps taken:
 * Created a registered user.
 * Logged in as that user, changed and saved the user name as: alert('exploited');
 * Logged out as that user and logged in as administrator.
 * Openned up User Management and clicked that user for editing. 
  Result: Trailing ';' had been removed from the user name after saving. Nothing else happened.

Another attempt: 
 * Logged in as that user, changed and saved the user name as: <script>alert('exploited');</script>
 * Logged out as that user and logged in as administrator.
 * Openned up User Management and clicked that user for editing. 
  Result: Angle brackets had been stripped from the user name, along with the trailing ';'. No javascript execution.

Ok, one last try:
 * Edit user as administrator and changed and saved the users name to <script>alert('exploited');</script>
 * This time angle brackets remained. Clicked on the user to edit user settings, but no javascript was executed.

Updated to dokuwiki-20140929-1.4.mga4 on both 32 and 64 bit release, then added new pages and users and everything works as expected.

------------------------------------------
Update validated.
Thanks.

Advisory:
  Possibly pending.

SRPM: dokuwiki-20140929-1.4.mga4.src.rpm

Could sysadmin please push from core/updates_testing to core/updates.

Thank you!
------------------------------------------

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs, warrendiogenese
Whiteboard: (none) => MGA4-64-OK MGA4-32-OK

Comment 4 David Walser 2015-03-27 13:07:28 CET
Advisory is in Comment 0.
Dave Hodgins 2015-03-27 17:05:53 CET

CC: (none) => davidwhodgins
Whiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advisory

Comment 5 Mageia Robot 2015-03-27 22:13:11 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0118.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-03-30 15:27:33 CEST

URL: (none) => http://lwn.net/Vulnerabilities/638443/


Note You need to log in before you can comment on or make changes to this bug.