| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 Aug 2012 00:18:38 +0300 From: Henri Salo <henri@...v.fi> To: Netsparker Advisories <advisories@...itunasecurity.com>, bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] XSS Vulnerabilities in LabWiki On Wed, Aug 22, 2012 at 12:32:29PM +0300, Netsparker Advisories wrote: > Information > -------------------- > Name : XSS Vulnerabilities in LabWiki > Software : LabWiki 1.5 and possibly below. > Vendor Homepage : http://www.bioinformatics.org/phplabware/labwiki/index.php > Vulnerability Type : Cross-Site Scripting > Severity : Critical > Researcher : Canberk Bolat > Advisory Reference : NS-12-008 > > Description > -------------------- > This wiki is powered by Qwiki Wiki, a minimalist PHP wiki engine > originally developed by David Barrett, that uses plain text files to > store data. The 'engine' is used to edit the data as well as to format > it and present it as a web page. Significant modifications were done > to the codes of this wiki for bugs and enhancements (XHTML compliance, > UTF-8 encoding, backup maintainance, page deletion, etc.) by Santosh > Patnaik (SP) who also largely seeded the wiki with new and old > (non-wiki) documents. > > Details > -------------------- > LabWiki is affected by XSS vulnerabilities in version 1.5. Example PoC > urls are as follows : > > http://example.com/recentchanges.php?page_no='"--></style></script><script>alert(0x00039E)</script>¬hing=nothing > http://example.com/index.php?page=What_is_wiki&from='"--></style></script><script>alert(0x0001C7)</script> > > You can read the full article about Cross-Site Scripting vulnerability > from here : > > Cross-site Scripting: http://www.mavitunasecurity.com/crosssite-scripting-xss/ > > Solution > -------------------- > No patch released. > > Advisory Timeline > -------------------- > 15/11/2011 - First contact: No response > 01/01/2012 - Second contact: No response > 22/08/2012 - Advisory Released > > Credits > -------------------- > It has been discovered on testing of Netsparker, Web Application > Security Scanner - http://www.mavitunasecurity.com/netsparker/. > > References > -------------------- > MSL Advisory Link : > http://www.mavitunasecurity.com/xss-vulnerabilities-in-labwiki/ > Netsparker Advisories : http://www.mavitunasecurity.com/netsparker-advisories/ > > About Netsparker > -------------------- > Netsparker® can find and report security issues such as SQL Injection > and Cross-site Scripting (XSS) in all web applications regardless of > the platform and the technology they are built on. Netsparker's unique > detection and exploitation techniques allows it to be dead accurate in > reporting hence it's the first and the only False Positive Free web > application security scanner. > > -- > Netsparker Advisories, <advisories@...itunasecurity.com> > Homepage, http://www.mavitunasecurity.com/netsparker-advisories/ This looks a lot like what muuratsalo has discovered some time ago: http://osvdb.org/show/osvdb/76934 (there is more similar issues in OSVDB if you use advanced search). If I remember correctly from muuratsalo's emails he did get contact to vendor, but vendor did not fix all issues and wasn't co-operative in discussion. Do you think NS-12-007 and NS-12-008 are new issues? If so we should request CVE-identifiers if these differ a lot of other XSS-issues. At the point where vendor does not fix issues like these nor reply I would say that people shouldn't be using the software at all. - Henri Salo
Powered by blists - more mailing lists