Joined: 12 May 2004
|Posted: Thu Apr 12, 2007 2:26 pm Post subject: [ GLSA 200704-08 ] DokuWiki: Cross-site scripting vulnerabil
|Gentoo Linux Security Advisory
Title: DokuWiki: Cross-site scripting vulnerability (GLSA 200704-08)
Date: April 12, 2007
DokuWiki is vulnerable to a cross-site scripting attack.
DokuWiki is a simple to use wiki aimed at creating documentation.
Vulnerable: < 20061106
Unaffected: >= 20061106
Architectures: All supported architectures
DokuWiki does not sanitize user input to the GET variable 'media' in
the fetch.php file.
An attacker could entice a user to click a specially crafted link and
inject CRLF characters into the variable. This would allow the creation
of new lines or fields in the returned HTTP Response header, which
would permit the attacker to execute arbitrary scripts in the context
of the user's browser.
Replace the following line in lib/exe/fetch.php:
|$MEDIA = getID('media',false); // no cleaning - maybe external |
|$MEDIA = preg_replace('/[x00-x1F]+/s','',getID('media',false)); |
All DokuWiki users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/dokuwiki-20061106"
Last edited by GLSA on Sat Oct 27, 2012 4:24 am; edited 2 times in total