[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20120823211838.GA17896@kludge.henri.nerv.fi>
Date: Fri, 24 Aug 2012 00:18:38 +0300
From: Henri Salo <henri@...v.fi>
To: Netsparker Advisories <advisories@...itunasecurity.com>,
bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] XSS Vulnerabilities in LabWiki
On Wed, Aug 22, 2012 at 12:32:29PM +0300, Netsparker Advisories wrote:
> Information
> --------------------
> Name : XSS Vulnerabilities in LabWiki
> Software : LabWiki 1.5 and possibly below.
> Vendor Homepage : http://www.bioinformatics.org/phplabware/labwiki/index.php
> Vulnerability Type : Cross-Site Scripting
> Severity : Critical
> Researcher : Canberk Bolat
> Advisory Reference : NS-12-008
>
> Description
> --------------------
> This wiki is powered by Qwiki Wiki, a minimalist PHP wiki engine
> originally developed by David Barrett, that uses plain text files to
> store data. The 'engine' is used to edit the data as well as to format
> it and present it as a web page. Significant modifications were done
> to the codes of this wiki for bugs and enhancements (XHTML compliance,
> UTF-8 encoding, backup maintainance, page deletion, etc.) by Santosh
> Patnaik (SP) who also largely seeded the wiki with new and old
> (non-wiki) documents.
>
> Details
> --------------------
> LabWiki is affected by XSS vulnerabilities in version 1.5. Example PoC
> urls are as follows :
>
> http://example.com/recentchanges.php?page_no='"--></style></script><script>alert(0x00039E)</script>¬hing=nothing
> http://example.com/index.php?page=What_is_wiki&from='"--></style></script><script>alert(0x0001C7)</script>
>
> You can read the full article about Cross-Site Scripting vulnerability
> from here :
>
> Cross-site Scripting: http://www.mavitunasecurity.com/crosssite-scripting-xss/
>
> Solution
> --------------------
> No patch released.
>
> Advisory Timeline
> --------------------
> 15/11/2011 - First contact: No response
> 01/01/2012 - Second contact: No response
> 22/08/2012 - Advisory Released
>
> Credits
> --------------------
> It has been discovered on testing of Netsparker, Web Application
> Security Scanner - http://www.mavitunasecurity.com/netsparker/.
>
> References
> --------------------
> MSL Advisory Link :
> http://www.mavitunasecurity.com/xss-vulnerabilities-in-labwiki/
> Netsparker Advisories : http://www.mavitunasecurity.com/netsparker-advisories/
>
> About Netsparker
> --------------------
> Netsparker® can find and report security issues such as SQL Injection
> and Cross-site Scripting (XSS) in all web applications regardless of
> the platform and the technology they are built on. Netsparker's unique
> detection and exploitation techniques allows it to be dead accurate in
> reporting hence it's the first and the only False Positive Free web
> application security scanner.
>
> --
> Netsparker Advisories, <advisories@...itunasecurity.com>
> Homepage, http://www.mavitunasecurity.com/netsparker-advisories/
This looks a lot like what muuratsalo has discovered some time ago: http://osvdb.org/show/osvdb/76934 (there is more similar issues in OSVDB if you use advanced search). If I remember correctly from muuratsalo's emails he did get contact to vendor, but vendor did not fix all issues and wasn't co-operative in discussion.
Do you think NS-12-007 and NS-12-008 are new issues? If so we should request CVE-identifiers if these differ a lot of other XSS-issues. At the point where vendor does not fix issues like these nor reply I would say that people shouldn't be using the software at all.
- Henri Salo
Powered by blists - more mailing lists