Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 22 Apr 2012 22:46:26 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request -- DokuWiki: XSS and CSRF due improper
 escaping of 'target' parameter in preprocessing edit form data

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/22/2012 11:24 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
> 
> a cross-site scripting (XSS) and cross-site request forgery (CSRF) 
> flaws were found in the way DokuWiki, a standards compliant, simple
> to use Wiki, performed sanitization of the 'target' parameter when
> preprocessing edit form data. A remote attacker could provide a
> specially-crafted URL, which once visited by a valid DokuWiki user
> would lead to arbitrary HTML or web script execution in the context
> of logged in DokuWiki user.
> 
> References: [1] https://secunia.com/advisories/48848/ [2]
> http://ircrash.com/uploads/dokuwiki.txt [3]
> https://bugs.gentoo.org/show_bug.cgi?id=412891 [4]
> http://bugs.dokuwiki.org/index.php?do=details&task_id=2487 
> (upstream bug report for the XSS issue)

Please use CVE-2012-2129 for this issue.

> [5] http://bugs.dokuwiki.org/index.php?do=details&task_id=2488 
> (upstream bug report for the CSRF issue)

Please use CVE-2012-2128 for this issue

> [6] https://bugzilla.redhat.com/show_bug.cgi?id=815122 (Red Hat
> bugzilla entry)
> 
> Discovered by : Khashayar Fereidani
> 
> Proof of Concept URL: 
> http://sitename/doku.php?do=edit&id=S9F8W2A&target=<script>alert(123)</script>
>
> 
> 
> Could you allocate a 2012 CVE id for this issue? (one is enough
> because only 'target' parameter isn't properly escaped, leading to
> XSS or CSRF {see [2] for further examples})

Under ADT2: 	Are X and Y different bug types? (e.g. buffer overflow,
SQL injection, NULL pointer dereference?) Yes: SPLIT them.

> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPlN6iAAoJEBYNRVNeJnmTqdUQAL954UvCMFpkIUpdlUVUj9zR
jf4qAx13KVvKcxmu4Qyg4ZkO8qjn3I4eFJCqLpx7TTp1hSAcPF7bteGUemBBtB5B
loG4wNbVYpCZii1ZhIBLIHw9hNlknS18dmstpmRWTRAcpBj2uzppMCaaqB5qBM1H
V/+rTVh3cpGF8TcoI7u+uLWsDmDXI1LmUsVy/7TtkvWVry7sjQj0IqZl4DtXtlct
w84cXrfI9ImFwbEe7dL6SBl8TMGAPUFWvzWLotgus9XiEIICI12R5DjvvA60wtiL
9alOe28mPjQ0xdSNBCMgLq7f1cR6lf+0W5H+Mrs2+TA0VcPYu5VTpPtISjK7Hh56
vnl8R5MVMpB/oWOsAXt/9m52UKCNmCT1gHPw4QRy8zGbjoAn3Ey8i4ywcG6ZoZP7
IzhSktbcIYI5urpfh25REz5vSkMZwh3y8Vb/wuYa8KcxNcIZVGpu6SYx5E/gvlSb
ZunIs3HqHnif/FXlisvbg6YMFZwoYb9sCzA5+H6kcjfX8DWlqX7g92DraTvHHV+8
YR3YIHfhSyPvANE+YL0oWHZHoL6PIMJsFNE9cujA8qu1D99HcGTJgxlyo4/r0D4U
7uutIQ3Ub82Pc9A6+SHUZtSWOGKsXk1j7DFsPwbemVw+dBXkjOr8MNjdQLz6DOtn
2HRZTS+OV9gx35HJyant
=vpvh
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ