lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20120823211838.GA17896@kludge.henri.nerv.fi>
Date: Fri, 24 Aug 2012 00:18:38 +0300
From: Henri Salo <henri@...v.fi>
To: Netsparker Advisories <advisories@...itunasecurity.com>,
	bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: XSS Vulnerabilities in LabWiki

On Wed, Aug 22, 2012 at 12:32:29PM +0300, Netsparker Advisories wrote:
> Information
> --------------------
> Name :  XSS Vulnerabilities in LabWiki
> Software :  LabWiki 1.5 and possibly below.
> Vendor Homepage :  http://www.bioinformatics.org/phplabware/labwiki/index.php
> Vulnerability Type :  Cross-Site Scripting
> Severity :  Critical
> Researcher :  Canberk Bolat
> Advisory Reference :  NS-12-008
> 
> Description
> --------------------
> This wiki is powered by Qwiki Wiki, a minimalist PHP wiki engine
> originally developed by David Barrett, that uses plain text files to
> store data. The 'engine' is used to edit the data as well as to format
> it and present it as a web page. Significant modifications were done
> to the codes of this wiki for bugs and enhancements (XHTML compliance,
> UTF-8 encoding, backup maintainance, page deletion, etc.) by Santosh
> Patnaik (SP) who also largely seeded the wiki with new and old
> (non-wiki) documents.
> 
> Details
> --------------------
> LabWiki is affected by XSS vulnerabilities in version 1.5. Example PoC
> urls are as follows :
> 
> http://example.com/recentchanges.php?page_no='"--></style></script><script>alert(0x00039E)</script>&nothing=nothing
> http://example.com/index.php?page=What_is_wiki&from='"--></style></script><script>alert(0x0001C7)</script>
> 
> You can read the full article about Cross-Site Scripting vulnerability
> from here :
> 
> Cross-site Scripting: http://www.mavitunasecurity.com/crosssite-scripting-xss/
> 
> Solution
> --------------------
> No patch released.
> 
> Advisory Timeline
> --------------------
> 15/11/2011 - First contact: No response
> 01/01/2012 - Second contact: No response
> 22/08/2012 - Advisory Released
> 
> Credits
> --------------------
> It has been discovered on testing of Netsparker, Web Application
> Security Scanner - http://www.mavitunasecurity.com/netsparker/.
> 
> References
> --------------------
> MSL Advisory Link :
> http://www.mavitunasecurity.com/xss-vulnerabilities-in-labwiki/
> Netsparker Advisories : http://www.mavitunasecurity.com/netsparker-advisories/
> 
> About Netsparker
> --------------------
> Netsparker® can find and report security issues such as SQL Injection
> and Cross-site Scripting (XSS) in all web applications regardless of
> the platform and the technology they are built on. Netsparker's unique
> detection and exploitation techniques allows it to be dead accurate in
> reporting hence it's the first and the only False Positive Free web
> application security scanner.
> 
> -- 
> Netsparker Advisories, <advisories@...itunasecurity.com>
> Homepage, http://www.mavitunasecurity.com/netsparker-advisories/

This looks a lot like what muuratsalo has discovered some time ago: http://osvdb.org/show/osvdb/76934 (there is more similar issues in OSVDB if you use advanced search). If I remember correctly from muuratsalo's emails he did get contact to vendor, but vendor did not fix all issues and wasn't co-operative in discussion.

Do you think NS-12-007 and NS-12-008 are new issues? If so we should request CVE-identifiers if these differ a lot of other XSS-issues. At the point where vendor does not fix issues like these nor reply I would say that people shouldn't be using the software at all.

- Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists