<<< Date Index >>>     <<< Thread Index >>>

Re: STG Security Advisory: [SSA-20041122-12] Zwiki XSS vulnerability



advisory@xxxxxxxxxxxxxxx wrote:

proof of concept

http://[victim]/<img src=javascript:alert('hi')>

Just to note, this bug only affects ZWiki version after Zwiki 0.10.0rc1.

Also, the fix is pretty trivial, apply the following patch to standard_error_message in all ZWiki folders (and on disk, so you don't have to do it again ;-):

--- standard_error_message.dtml.original        Fri Nov 26 09:17:22 2004
+++ standard_error_message.dtml Fri Nov 26 09:17:55 2004
@@ -29,7 +29,7 @@
   <body>
     <p>
       I could not find any likely page matching
-      "<b><dtml-var "here.urlunquote(searchexpr)"></b>"
+      "<b><dtml-var "here.urlunquote(searchexpr)" html_quote></b>"
     </p>
     <p>
       Click here to

Sadly, I see I broke the bug tracker, 'cos it's also a ZWiki, and has MUCH bigger problems than the above :-S (execution of any DTML in the context of (hopefully!) the user that created it along with a total lack of html quoting in the page :-(

In short, only use ZWiki if you know what you're doing, and preferably only if it's not anonymously accessible...

*sigh*

Chris

--
Simplistix - Content Management, Zope & Python Consulting
           - http://www.simplistix.co.uk