[dokuwiki] Cross Site Scripting Vulnerability

• From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
• To: dokuwiki@xxxxxxxxxxxxx
• Date: Tue, 18 Oct 2005 23:47:41 +0200

Hi all!

A problem in DokuWiki was discovered which let's malicious users to add
arbitrary HTML or JavaScript into Wiki pages. An attacker could use this
vulnerability to steal user cookies, redirect users to malicious pages
or simply destroy the design of a page.

The insert is possible because of a missing validation in handling
email-, windowsshare- and external link syntax. Because DokuWiki's user
cookies are encrypted, the risk is relative low but I recommend to fix
these problems as soon as possible in your installations.

The downloadable archive of release 2006-09-22 available at
http://www.splitbrain.org/go/dokuwiki was updated to incorporate the
needed fixes. Alternativly you can follow the instructions at
http://bugs.splitbrain.org/?do=details&id=595 to fix the problems your
self. Developers can upgrade via darcs of course.

Regards
Andi

• Follow-Ups:
  • [dokuwiki] Re: Cross Site Scripting Vulnerability
    • From: litwiki.de

Other related posts:

• » [dokuwiki] Cross Site Scripting Vulnerability
• » [dokuwiki] Re: Cross Site Scripting Vulnerability
• » [dokuwiki] Re: Cross Site Scripting Vulnerability

1. Home
2. dokuwiki
3. Archive
4. 10-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---