<<< Date Index >>>     <<< Thread Index >>>

Re: [ GLSA 200510-23 ] TikiWiki: XSS vulnerability



Silly quesiton: Does this cover all OS's? 

--- Thierry Carrez <koon@xxxxxxxxxx> wrote:

> - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - - - - - - - - -
> Gentoo Linux Security Advisory                      
>     GLSA 200510-23
> - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - - - - - - - - -
>                                            
> http://security.gentoo.org/
> - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - - - - - - - - -
> 
>   Severity: Low
>      Title: TikiWiki: XSS vulnerability
>       Date: October 28, 2005
>       Bugs: #109858
>         ID: 200510-23
> 
> - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - - - - - - - - -
> 
> Synopsis
> ========
> 
> TikiWiki is vulnerable to cross-site scripting
> attacks.
> 
> Background
> ==========
> 
> TikiWiki is a web-based groupware and content
> management system (CMS),
> using PHP, ADOdb and Smarty.
> 
> Affected packages
> =================
> 
>    
>
-------------------------------------------------------------------
>      Package            /  Vulnerable  /            
>        Unaffected
>    
>
-------------------------------------------------------------------
>   1  www-apps/tikiwiki      < 1.9.1.1               
>        >= 1.9.1.1
> 
> Description
> ===========
> 
> Due to improper input validation, TikiWiki can be
> exploited to perform
> cross-site scripting attacks.
> 
> Impact
> ======
> 
> A remote attacker could exploit this to inject and
> execute malicious
> script code or to steal cookie-based authentication
> credentials,
> potentially compromising the victim's browser.
> 
> Workaround
> ==========
> 
> There is no known workaround at this time.
> 
> Resolution
> ==========
> 
> All TikiWiki users should upgrade to the latest
> version:
> 
>     # emerge --sync
>     # emerge --ask --oneshot --verbose
> ">=www-apps/tikiwiki-1.9.1.1"
> 
> Note: Users with the vhosts USE flag set should
> manually use
> webapp-config to finalize the update.
> 
> Availability
> ============
> 
> This GLSA and any updates to it are available for
> viewing at
> the Gentoo Security Website:
> 
>   http://security.gentoo.org/glsa/glsa-200510-23.xml
> 
> Concerns?
> =========
> 
> Security is a primary focus of Gentoo Linux and
> ensuring the
> confidentiality and security of our users machines
> is of utmost
> importance to us. Any security concerns should be
> addressed to
> security@xxxxxxxxxx or alternatively, you may file a
> bug at
> http://bugs.gentoo.org.
> 
> License
> =======
> 
> Copyright 2005 Gentoo Foundation, Inc; referenced
> text
> belongs to its owner(s).
> 
> The contents of this document are licensed under the
> Creative Commons - Attribution / Share Alike
> license.
> 
> http://creativecommons.org/licenses/by-sa/2.0
> 
> 


------------------
Dave C, Admin, City of Pine
dave_canuck2001@xxxxxxxxx


        
                
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com