GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Thu Apr 12, 2007 2:26 pm Post subject: [ GLSA 200704-08 ] DokuWiki: Cross-site scripting vulnerabil |
 |
|
Gentoo Linux Security Advisory
Title: DokuWiki: Cross-site scripting vulnerability (GLSA 200704-08)
Severity: low
Exploitable: remote
Date: April 12, 2007
Bug(s): #163781
ID: 200704-08
Synopsis
DokuWiki is vulnerable to a cross-site scripting attack.
Background
DokuWiki is a simple to use wiki aimed at creating documentation.
Affected Packages
Package: www-apps/dokuwiki
Vulnerable: < 20061106
Unaffected: >= 20061106
Architectures: All supported architectures
Description
DokuWiki does not sanitize user input to the GET variable 'media' in
the fetch.php file.
Impact
An attacker could entice a user to click a specially crafted link and
inject CRLF characters into the variable. This would allow the creation
of new lines or fields in the returned HTTP Response header, which
would permit the attacker to execute arbitrary scripts in the context
of the user's browser.
Workaround
Replace the following line in lib/exe/fetch.php:
| Code: | | $MEDIA = getID('media',false); // no cleaning - maybe external |
with
| Code: | | $MEDIA = preg_replace('/[x00-x1F]+/s','',getID('media',false)); |
Resolution
All DokuWiki users should upgrade to the latest version:
| Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/dokuwiki-20061106" |
References
CVE-2006-6965
Last edited by GLSA on Sat Oct 27, 2012 4:24 am; edited 2 times in total |
|
News & Announcements
