-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SA0005
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++ PmWiki 2.0.12 Cross Site Scripting +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
PUBLISHED ON
Nov 22, 2005
PUBLISHED AT
http://moritz-naumann.com/adv/0005/pmwiki/0005.txt
http://moritz-naumann.com/adv/0005/pmwiki/0005.txt.sig
PUBLISHED BY
Moritz Naumann IT Consulting & Services
Hamburg, Germany
http://moritz-naumann.com/
SECURITY at MORITZ hyphon NAUMANN d0t COM
GPG key: http://moritz-naumann.com/keys/0x277F060C.asc
AFFECTED APPLICATION OR SERVICE
PmWiki
http://www.pmwiki.org/
AFFECTED VERSION
Version 2.0 up to and including 2.0.12
BACKGROUND
Everybody knows XSS.
http://en.wikipedia.org/wiki/XSS
http://www.cgisecurity.net/articles/xss-faq.shtml
ISSUE
PmWiki 2.0.12 is subject to a XSS vulnerability. The
problem exists in the 'q' parameter passed to the search
function. Successful exploitation may allow for
impersonification through session stealing.
The following URL demonstrates this issue:
[pmwiki_basedir]/Site/Search?action=search&q=TRY%20ANOTHER%20SEARCH%20NO
W!%20YES,%20YOU!'%20onMouseOver='alert(document.title);'%20
This issue is caused by insufficient input validation.
WORKAROUND
Client: Disable Javascript.
Server: Prevent access to pagelist.php.
SOLUTIONS
Install or upgrade to the latest release, version 2.0.13.
Both releases and patch files are available at
http://www.pmwiki.org/pub/pmwiki/
TIMELINE
Nov 05, 2005 Discovery
Nov 05, 2005 Code maintainer notified
Nov 09, 2005 Code maintainer replies
Nov 10, 2005 Code maintainer provides fix
Nov 11, 2005 CVE candidate assignment requested
Nov 22, 2005 Sick of waiting for Mitre to fix their DB
Nov 22, 2005 Public disclosure
REFERENCES
N/A
ADDITIONAL CREDIT
N/A
LICENSE
Creative Commons Attribution-ShareAlike License Germany
http://creativecommons.org/licenses/by-sa/2.0/de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDg4k6n6GkvSd/BgwRAkHNAKCTcGJKosuxhRzWh4BBSxMdhPN5hgCgh6ge
12nFL+rppdBzzKf9w3XXETc=
=idBd
-----END PGP SIGNATURE-----