Re: [ GLSA 200510-23 ] TikiWiki: XSS vulnerability

From: dave canuck (dave_canuck2001_at_yahoo.com)
Date: 10/28/05

  • Next message: abducter_minds_at_yahoo.com: "File Including In PBLang"
    Date: Fri, 28 Oct 2005 12:26:17 -0700 (PDT)
    To: Thierry Carrez <koon@gentoo.org>, gentoo-announce@lists.gentoo.org
    
    

    Silly quesiton: Does this cover all OS's?

    --- Thierry Carrez <koon@gentoo.org> wrote:

    > - - - - - - - - - - - - - - - - - - - - - - - - - -
    > - - - - - - - - - -
    > Gentoo Linux Security Advisory
    > GLSA 200510-23
    > - - - - - - - - - - - - - - - - - - - - - - - - - -
    > - - - - - - - - - -
    >
    > http://security.gentoo.org/
    > - - - - - - - - - - - - - - - - - - - - - - - - - -
    > - - - - - - - - - -
    >
    > Severity: Low
    > Title: TikiWiki: XSS vulnerability
    > Date: October 28, 2005
    > Bugs: #109858
    > ID: 200510-23
    >
    > - - - - - - - - - - - - - - - - - - - - - - - - - -
    > - - - - - - - - - -
    >
    > Synopsis
    > ========
    >
    > TikiWiki is vulnerable to cross-site scripting
    > attacks.
    >
    > Background
    > ==========
    >
    > TikiWiki is a web-based groupware and content
    > management system (CMS),
    > using PHP, ADOdb and Smarty.
    >
    > Affected packages
    > =================
    >
    >
    >
    -------------------------------------------------------------------
    > Package / Vulnerable /
    > Unaffected
    >
    >
    -------------------------------------------------------------------
    > 1 www-apps/tikiwiki < 1.9.1.1
    > >= 1.9.1.1
    >
    > Description
    > ===========
    >
    > Due to improper input validation, TikiWiki can be
    > exploited to perform
    > cross-site scripting attacks.
    >
    > Impact
    > ======
    >
    > A remote attacker could exploit this to inject and
    > execute malicious
    > script code or to steal cookie-based authentication
    > credentials,
    > potentially compromising the victim's browser.
    >
    > Workaround
    > ==========
    >
    > There is no known workaround at this time.
    >
    > Resolution
    > ==========
    >
    > All TikiWiki users should upgrade to the latest
    > version:
    >
    > # emerge --sync
    > # emerge --ask --oneshot --verbose
    > ">=www-apps/tikiwiki-1.9.1.1"
    >
    > Note: Users with the vhosts USE flag set should
    > manually use
    > webapp-config to finalize the update.
    >
    > Availability
    > ============
    >
    > This GLSA and any updates to it are available for
    > viewing at
    > the Gentoo Security Website:
    >
    > http://security.gentoo.org/glsa/glsa-200510-23.xml
    >
    > Concerns?
    > =========
    >
    > Security is a primary focus of Gentoo Linux and
    > ensuring the
    > confidentiality and security of our users machines
    > is of utmost
    > importance to us. Any security concerns should be
    > addressed to
    > security@gentoo.org or alternatively, you may file a
    > bug at
    > http://bugs.gentoo.org.
    >
    > License
    > =======
    >
    > Copyright 2005 Gentoo Foundation, Inc; referenced
    > text
    > belongs to its owner(s).
    >
    > The contents of this document are licensed under the
    > Creative Commons - Attribution / Share Alike
    > license.
    >
    > http://creativecommons.org/licenses/by-sa/2.0
    >
    >

    ------------------
    Dave C, Admin, City of Pine
    dave_canuck2001@yahoo.com

            
                    
    __________________________________
    Yahoo! Mail - PC Magazine Editors' Choice 2005
    http://mail.yahoo.com


  • Next message: abducter_minds_at_yahoo.com: "File Including In PBLang"