| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20051028192618.76195.qmail@web34209.mail.mud.yahoo.com> Date: Fri, 28 Oct 2005 12:26:17 -0700 (PDT) From: dave canuck <dave_canuck2001@...oo.com> To: Thierry Carrez <koon@...too.org>, gentoo-announce@...ts.gentoo.org Cc: bugtraq@...urityfocus.com Subject: Re: [ GLSA 200510-23 ] TikiWiki: XSS vulnerability Silly quesiton: Does this cover all OS's? --- Thierry Carrez <koon@...too.org> wrote: > - - - - - - - - - - - - - - - - - - - - - - - - - - > - - - - - - - - - - > Gentoo Linux Security Advisory > GLSA 200510-23 > - - - - - - - - - - - - - - - - - - - - - - - - - - > - - - - - - - - - - > > http://security.gentoo.org/ > - - - - - - - - - - - - - - - - - - - - - - - - - - > - - - - - - - - - - > > Severity: Low > Title: TikiWiki: XSS vulnerability > Date: October 28, 2005 > Bugs: #109858 > ID: 200510-23 > > - - - - - - - - - - - - - - - - - - - - - - - - - - > - - - - - - - - - - > > Synopsis > ======== > > TikiWiki is vulnerable to cross-site scripting > attacks. > > Background > ========== > > TikiWiki is a web-based groupware and content > management system (CMS), > using PHP, ADOdb and Smarty. > > Affected packages > ================= > > > ------------------------------------------------------------------- > Package / Vulnerable / > Unaffected > > ------------------------------------------------------------------- > 1 www-apps/tikiwiki < 1.9.1.1 > >= 1.9.1.1 > > Description > =========== > > Due to improper input validation, TikiWiki can be > exploited to perform > cross-site scripting attacks. > > Impact > ====== > > A remote attacker could exploit this to inject and > execute malicious > script code or to steal cookie-based authentication > credentials, > potentially compromising the victim's browser. > > Workaround > ========== > > There is no known workaround at this time. > > Resolution > ========== > > All TikiWiki users should upgrade to the latest > version: > > # emerge --sync > # emerge --ask --oneshot --verbose > ">=www-apps/tikiwiki-1.9.1.1" > > Note: Users with the vhosts USE flag set should > manually use > webapp-config to finalize the update. > > Availability > ============ > > This GLSA and any updates to it are available for > viewing at > the Gentoo Security Website: > > http://security.gentoo.org/glsa/glsa-200510-23.xml > > Concerns? > ========= > > Security is a primary focus of Gentoo Linux and > ensuring the > confidentiality and security of our users machines > is of utmost > importance to us. Any security concerns should be > addressed to > security@...too.org or alternatively, you may file a > bug at > http://bugs.gentoo.org. > > License > ======= > > Copyright 2005 Gentoo Foundation, Inc; referenced > text > belongs to its owner(s). > > The contents of this document are licensed under the > Creative Commons - Attribution / Share Alike > license. > > http://creativecommons.org/licenses/by-sa/2.0 > > ------------------ Dave C, Admin, City of Pine dave_canuck2001@...oo.com __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
Powered by blists - more mailing lists