Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 22 Apr 2012 22:46:26 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request -- DokuWiki: XSS and CSRF due improper
 escaping of 'target' parameter in preprocessing edit form data

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/22/2012 11:24 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
> 
> a cross-site scripting (XSS) and cross-site request forgery (CSRF) 
> flaws were found in the way DokuWiki, a standards compliant, simple
> to use Wiki, performed sanitization of the 'target' parameter when
> preprocessing edit form data. A remote attacker could provide a
> specially-crafted URL, which once visited by a valid DokuWiki user
> would lead to arbitrary HTML or web script execution in the context
> of logged in DokuWiki user.
> 
> References: [1] https://secunia.com/advisories/48848/ [2]
> http://ircrash.com/uploads/dokuwiki.txt [3]
> https://bugs.gentoo.org/show_bug.cgi?id=412891 [4]
> http://bugs.dokuwiki.org/index.php?do=details&task_id=2487 
> (upstream bug report for the XSS issue)

Please use CVE-2012-2129 for this issue.

> [5] http://bugs.dokuwiki.org/index.php?do=details&task_id=2488 
> (upstream bug report for the CSRF issue)

Please use CVE-2012-2128 for this issue

> [6] https://bugzilla.redhat.com/show_bug.cgi?id=815122 (Red Hat
> bugzilla entry)
> 
> Discovered by : Khashayar Fereidani
> 
> Proof of Concept URL: 
> http://sitename/doku.php?do=edit&id=S9F8W2A&target=<script>alert(123)</script>
>
> 
> 
> Could you allocate a 2012 CVE id for this issue? (one is enough
> because only 'target' parameter isn't properly escaped, leading to
> XSS or CSRF {see [2] for further examples})

Under ADT2: 	Are X and Y different bug types? (e.g. buffer overflow,
SQL injection, NULL pointer dereference?) Yes: SPLIT them.

> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPlN6iAAoJEBYNRVNeJnmTqdUQAL954UvCMFpkIUpdlUVUj9zR
jf4qAx13KVvKcxmu4Qyg4ZkO8qjn3I4eFJCqLpx7TTp1hSAcPF7bteGUemBBtB5B
loG4wNbVYpCZii1ZhIBLIHw9hNlknS18dmstpmRWTRAcpBj2uzppMCaaqB5qBM1H
V/+rTVh3cpGF8TcoI7u+uLWsDmDXI1LmUsVy/7TtkvWVry7sjQj0IqZl4DtXtlct
w84cXrfI9ImFwbEe7dL6SBl8TMGAPUFWvzWLotgus9XiEIICI12R5DjvvA60wtiL
9alOe28mPjQ0xdSNBCMgLq7f1cR6lf+0W5H+Mrs2+TA0VcPYu5VTpPtISjK7Hh56
vnl8R5MVMpB/oWOsAXt/9m52UKCNmCT1gHPw4QRy8zGbjoAn3Ey8i4ywcG6ZoZP7
IzhSktbcIYI5urpfh25REz5vSkMZwh3y8Vb/wuYa8KcxNcIZVGpu6SYx5E/gvlSb
ZunIs3HqHnif/FXlisvbg6YMFZwoYb9sCzA5+H6kcjfX8DWlqX7g92DraTvHHV+8
YR3YIHfhSyPvANE+YL0oWHZHoL6PIMJsFNE9cujA8qu1D99HcGTJgxlyo4/r0D4U
7uutIQ3Ub82Pc9A6+SHUZtSWOGKsXk1j7DFsPwbemVw+dBXkjOr8MNjdQLz6DOtn
2HRZTS+OV9gx35HJyant
=vpvh
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.