Re: [ GLSA 200510-23 ] TikiWiki: XSS vulnerability
Silly quesiton: Does this cover all OS's?
--- Thierry Carrez <koon@xxxxxxxxxx> wrote:
> - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - - - - - - - - -
> Gentoo Linux Security Advisory
> GLSA 200510-23
> - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - - - - - - - - -
>
> http://security.gentoo.org/
> - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - - - - - - - - -
>
> Severity: Low
> Title: TikiWiki: XSS vulnerability
> Date: October 28, 2005
> Bugs: #109858
> ID: 200510-23
>
> - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - - - - - - - - -
>
> Synopsis
> ========
>
> TikiWiki is vulnerable to cross-site scripting
> attacks.
>
> Background
> ==========
>
> TikiWiki is a web-based groupware and content
> management system (CMS),
> using PHP, ADOdb and Smarty.
>
> Affected packages
> =================
>
>
>
-------------------------------------------------------------------
> Package / Vulnerable /
> Unaffected
>
>
-------------------------------------------------------------------
> 1 www-apps/tikiwiki < 1.9.1.1
> >= 1.9.1.1
>
> Description
> ===========
>
> Due to improper input validation, TikiWiki can be
> exploited to perform
> cross-site scripting attacks.
>
> Impact
> ======
>
> A remote attacker could exploit this to inject and
> execute malicious
> script code or to steal cookie-based authentication
> credentials,
> potentially compromising the victim's browser.
>
> Workaround
> ==========
>
> There is no known workaround at this time.
>
> Resolution
> ==========
>
> All TikiWiki users should upgrade to the latest
> version:
>
> # emerge --sync
> # emerge --ask --oneshot --verbose
> ">=www-apps/tikiwiki-1.9.1.1"
>
> Note: Users with the vhosts USE flag set should
> manually use
> webapp-config to finalize the update.
>
> Availability
> ============
>
> This GLSA and any updates to it are available for
> viewing at
> the Gentoo Security Website:
>
> http://security.gentoo.org/glsa/glsa-200510-23.xml
>
> Concerns?
> =========
>
> Security is a primary focus of Gentoo Linux and
> ensuring the
> confidentiality and security of our users machines
> is of utmost
> importance to us. Any security concerns should be
> addressed to
> security@xxxxxxxxxx or alternatively, you may file a
> bug at
> http://bugs.gentoo.org.
>
> License
> =======
>
> Copyright 2005 Gentoo Foundation, Inc; referenced
> text
> belongs to its owner(s).
>
> The contents of this document are licensed under the
> Creative Commons - Attribution / Share Alike
> license.
>
> http://creativecommons.org/licenses/by-sa/2.0
>
>
------------------
Dave C, Admin, City of Pine
dave_canuck2001@xxxxxxxxx
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com