Bug 6166 - dokuwiki new security issues CVE-2012-0283, CVE-2012-2128, CVE-2012-2129
: dokuwiki new security issues CVE-2012-0283, CVE-2012-2128, CVE-2012-2129
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/499173/
: MGA2-32-OK MGA2-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-05-29 23:40 CEST by David Walser
Modified: 2012-08-12 20:08 CEST (History)
6 users (show)

See Also:
Source RPM: dokuwiki-20110525-2.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-05-29 23:40:42 CEST
Fedora has issued an advisory on April 26:
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081284.html

Cauldron will need updated as well.
Comment 1 David Walser 2012-06-14 21:40:47 CEST
An update is needed for Mageia 2.  The version in Cauldron *is* vulnerable too.
Comment 2 Rod Emerson 2012-06-16 11:43:08 CEST
See https://bugs.mageia.org/show_bug.cgi?id=6480
Comment 3 David Walser 2012-06-17 11:33:05 CEST
As pointed out on Bug 6480, Cauldron is fixed.  Updating to the same version for Mageia 2 would be sufficient.
Comment 4 Rod Emerson 2012-06-17 12:05:40 CEST
(In reply to comment #3)
> As pointed out on Bug 6480, Cauldron is fixed.


I see Cauldron does indeed have dokuwiki-2012-01-25a.tgz,
one new thing I saw with 2012-01-25a was httpd error_log
entries when accessing the Admin page :

File does not exist: /var/www/dokuwiki/data, referer: http://mga2/dokuwiki/doku.php?id=start&do=admin

This wants to put a padlock image in the top right of the page via :

  <a style="border:none; float:right;"
            href="http://www.dokuwiki.org/security#web_access_security">
            <img src="data/security.png" alt="Your data directory seems to be protected properly."
             onerror="this.parentNode.style.display='none'" /></a>


That is the reason for the additional symlink in the SPEC mods seen in bug 6480 :

+(cd %{buildroot}%{_var}/www/%{name} && ln -sf ../../..%{_datadir}/%{name}/lib/plugins/config/images data)

With the symlink in place the img is seen, clicking this padlock
image leads to http://www.dokuwiki.org/security#web_access_security
for an explaination of what the padlock or other images mean.
Comment 5 David Walser 2012-07-06 17:22:04 CEST
There is also CVE-2012-3354, not sure what version it's fixed in:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3354
Comment 6 David Walser 2012-07-14 04:37:19 CEST
Now 2012-01-25b has been released fixing CVE-2012-0283, also known as SA49196.

http://www.securelist.com/en/advisories/49196
Comment 7 David Walser 2012-08-08 18:42:21 CEST
Updated package uploaded for Mageia 2 and Cauldron.

CVE-2012-3354 has not been fixed, but it is unimportant and should not affect production systems (only systems with a PHP configuration appropriate for development machines are vulnerable).

PoC for 2128/2129 is on https://bugzilla.redhat.com/show_bug.cgi?id=815122

Advisory:
========================

Updated dokuwiki package fixes security vulnerabilities:

Cross-site scripting (XSS) vulnerability in the tpl_mediaFileList
function in inc/template.php in DokuWiki before 2012-01-25b allows remote
attackers to inject arbitrary web script or HTML via the ns parameter in a
medialist action to lib/exe/ajax.php (SA49196, CVE-2012-0283).

A cross-site scripting (XSS) and cross-site request forgery (CSRF) flaws
were found in the way DokuWiki, a standards compliant, simple to use Wiki,
performed sanitization of the 'target' parameter when preprocessing edit
form data. A remote attacker could provide a specially-crafted URL, which
once visited by a valid DokuWiki user would lead to arbitrary HTML or web
script execution in the context of logged in DokuWiki user (SA48848,
CVE-2012-2128, CVE-2012-2129).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0283
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2128
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2129
https://secunia.com/advisories/48848/
http://www.securelist.com/en/advisories/49196
https://www.dokuwiki.org/changes
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081284.html
========================

Updated packages in core/updates_testing:
========================
dokuwiki-20120125-1.mga2

from dokuwiki-20120125-1.mga2.src.rpm
Comment 8 Dave Hodgins 2012-08-09 02:29:24 CEST
I'll be testing Mageia 2 i586 shortly.
Comment 9 Dave Hodgins 2012-08-09 02:44:04 CEST
Trying http://127.0.0.1/doku.php?do=edit&id=S9F8W2A&target=<script>alert(123)</script>
with the core release version, I'm just getting a 404, page not found.

I'll install the update, and just confirm it's working.
Comment 10 Dave Hodgins 2012-08-09 03:05:29 CEST
I did figure out it should be
http://127.0.0.1/dokuwiki/doku.php?do=edit&id=S9F8W2A&target=<script>alert(123)</script>

Doesn't work in chromium-browser, but does with firefox and opera.

The update does fix the problem.

Testing complete on Mageia 2 i586 and x86-64.

Could someone from the sysadmin team push the srpm
dokuwiki-20120125-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated dokuwiki package fixes security vulnerabilities:

Cross-site scripting (XSS) vulnerability in the tpl_mediaFileList
function in inc/template.php in DokuWiki before 2012-01-25b allows remote
attackers to inject arbitrary web script or HTML via the ns parameter in a
medialist action to lib/exe/ajax.php (SA49196, CVE-2012-0283).

A cross-site scripting (XSS) and cross-site request forgery (CSRF) flaws
were found in the way DokuWiki, a standards compliant, simple to use Wiki,
performed sanitization of the 'target' parameter when preprocessing edit
form data. A remote attacker could provide a specially-crafted URL, which
once visited by a valid DokuWiki user would lead to arbitrary HTML or web
script execution in the context of logged in DokuWiki user (SA48848,
CVE-2012-2128, CVE-2012-2129).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0283
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2128
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2129
https://secunia.com/advisories/48848/
http://www.securelist.com/en/advisories/49196
https://www.dokuwiki.org/changes
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081284.html

https://bugs.mageia.org/show_bug.cgi?id=6166
Comment 11 Thomas Backlund 2012-08-12 20:08:20 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0207

Note You need to log in before you can comment on or make changes to this bug.