Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 22 Apr 2012 19:24:00 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security@...ts.openwall.com
Subject: CVE Request -- DokuWiki: XSS and CSRF due improper escaping of 'target'
 parameter in preprocessing edit form data

Hello Kurt, Steve, vendors,

   a cross-site scripting (XSS) and cross-site request forgery (CSRF) flaws were
found in the way DokuWiki, a standards compliant, simple to use Wiki, performed
sanitization of the 'target' parameter when preprocessing edit form data. A
remote attacker could provide a specially-crafted URL, which once visited by a
valid DokuWiki user would lead to arbitrary HTML or web script execution in the
context of logged in DokuWiki user.

References:
[1] https://secunia.com/advisories/48848/
[2] http://ircrash.com/uploads/dokuwiki.txt
[3] https://bugs.gentoo.org/show_bug.cgi?id=412891
[4] http://bugs.dokuwiki.org/index.php?do=details&task_id=2487
     (upstream bug report for the XSS issue)
[5] http://bugs.dokuwiki.org/index.php?do=details&task_id=2488
     (upstream bug report for the CSRF issue)
[6] https://bugzilla.redhat.com/show_bug.cgi?id=815122
     (Red Hat bugzilla entry)

Discovered by : Khashayar Fereidani

Proof of Concept URL:
http://sitename/doku.php?do=edit&id=S9F8W2A&target=<script>alert(123)</script>

Could you allocate a 2012 CVE id for this issue? (one is enough because
only 'target' parameter isn't properly escaped, leading to XSS or CSRF
{see [2] for further examples})

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ