Swiki 1.5 Multiple Cross-Site Scripting Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Swiki 1.5 Multiple Cross-Site Scripting Vulnerabilities
From: brad.antoniewicz@xxxxxxxxxxxxxx
Date: 7 Apr 2008 23:27:55 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Title: Swiki 1.5 Multiple Cross-Site Scripting Vulnerabilities 
Vendor URL: http://wiki.squeak.org/swiki Vendor Contacted: Yes

Description:
Multiple stored and reflective cross-site scripting vulnerabilities were 
identified in Swiki 1.5. 

Reflective (example):
http://[host]:8000/<script>alert("XSS");</script>

Stored (example):
On posts to 1.append when adding new entries into the wiki, the application 
does not properly escape javascript code resulting in a stored cross-site 
scripting attack. 

Credit: 
Brad Antoniewicz
brad.antoniewicz@xxxxxxxxxxxxxx

Prev by Date: [ GLSA 200804-04 ] MySQL: Multiple vulnerabilities
Next by Date: Re: Wikepage Opus 13 2007.2 Directory Traversal Vulnerbility
Previous by thread: [ GLSA 200804-04 ] MySQL: Multiple vulnerabilities
Next by thread: WoltLab(R) Community Framework XSS and Full Path Disclosure Vulnerability
Index(es):
- Date
- Thread