Debian Bug report logs -
#465110
ikiwiki: CVE-2008-080{8,9} two cross-site scripting issues
Reported by: Joey Hess <joeyh@debian.org>
Date: Sun, 10 Feb 2008 18:48:02 UTC
Severity: important
Tags: security
Found in versions ikiwiki/1.33.3, ikiwiki/2.31
Fixed in versions ikiwiki/2.31.1, ikiwiki/1.33.4
Done: Joey Hess <joeyh@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org:
Bug#465110; Package ikiwiki.
(full text, mbox, link).
Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: ikiwiki
Version: 1.33.3
Severity: important
Tags: security
Josh Triplett noticed that ikiwiki's htmlscrubber did not sanitise uris
that contained javascript. Imact is that ikiwiki wikis that are
configured to allow unteusted users to edit could have javascript
embedded in <a href="">, or possibly <img src=""> or even <form action="">.
This javascript could be used to do, for example, cross-site scripting
attacks. There is no CVE for this issue at this time, AFAIK, since Josh
just noticed the problem last night.
Ikiwiki used the same html sanitisation method as the Universal Feed
Parser, and that method did not include such checks -- details about the
equivilant bug in the Universal Feed Parser here:
http://code.google.com/p/feedparser/issues/detail?id=37 (not sure if
this is included in Debian).
--
see shy jo
[signature.asc (application/pgp-signature, inline)]
Bug no longer marked as found in version 2.31.1.
Request was from Joey Hess <joeyh@debian.org>
to control@bugs.debian.org.
(Sun, 10 Feb 2008 19:00:06 GMT) (full text, mbox, link).
Bug marked as found in version 2.31.
Request was from Joey Hess <joeyh@debian.org>
to control@bugs.debian.org.
(Sun, 10 Feb 2008 19:03:02 GMT) (full text, mbox, link).
Bug marked as fixed in version 2.31.1.
Request was from Joey Hess <joeyh@debian.org>
to control@bugs.debian.org.
(Sun, 10 Feb 2008 19:03:10 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Joey Hess <joeyh@debian.org>:
Bug#465110; Package ikiwiki.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Joey Hess <joeyh@debian.org>.
(full text, mbox, link).
Message #16 received at 465110@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Joey,
* Joey Hess <joeyh@debian.org> [2008-02-10 20:16]:
> Josh Triplett noticed that ikiwiki's htmlscrubber did not sanitise uris
> that contained javascript. Imact is that ikiwiki wikis that are
> configured to allow unteusted users to edit could have javascript
> embedded in <a href="">, or possibly <img src=""> or even <form action="">.
> This javascript could be used to do, for example, cross-site scripting
> attacks. There is no CVE for this issue at this time, AFAIK, since Josh
> just noticed the problem last night.
[...]
Thanks for reporting this, a CVE id is pending.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Joey Hess <joeyh@debian.org>:
Bug#465110; Package ikiwiki.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Joey Hess <joeyh@debian.org>.
(full text, mbox, link).
Message #21 received at 465110@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
retitle 465110 ikiwiki: CVE-2008-080{8,9} two cross-site scripting issues
thanks
Hi Joey,
* Joey Hess <joeyh@debian.org> [2008-02-10 20:16]:
> Package: ikiwiki
> Version: 1.33.3
> Severity: important
> Tags: security
>
> Josh Triplett noticed that ikiwiki's htmlscrubber did not sanitise uris
> that contained javascript. Imact is that ikiwiki wikis that are
> configured to allow unteusted users to edit could have javascript
> embedded in <a href="">, or possibly <img src=""> or even <form action="">.
> This javascript could be used to do, for example, cross-site scripting
> attacks. There is no CVE for this issue at this time, AFAIK, since Josh
> just noticed the problem last night.
[...]
There we go:
======================================================
Name: CVE-2008-0808
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0808
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=465110
Reference: CONFIRM:http://ikiwiki.info/security/#index30h4
Reference: SECUNIA:28911
Reference: URL:http://secunia.com/advisories/28911
Cross-site scripting (XSS) vulnerability in the meta plugin in Ikiwiki
before 1.1.47 allows remote attackers to inject arbitrary web script
or HTML via meta tags.
======================================================
Name: CVE-2008-0809
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0809
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=465110
Reference: CONFIRM:http://ikiwiki.info/security/#index27h4
Reference: SECUNIA:28911
Reference: URL:http://secunia.com/advisories/28911
Cross-site scripting (XSS) vulnerability in the htmlscrubber in
Ikiwiki before 1.1.46 allows remote attackers to inject arbitrary web
script or HTML via title contents.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Changed Bug title to `ikiwiki: CVE-2008-080{8,9} two cross-site scripting issues' from `htmlscrubber does not sanitise javascript in uris'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Tue, 19 Feb 2008 11:30:08 GMT) (full text, mbox, link).
Reply sent to Joey Hess <joeyh@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #28 received at 465110-close@bugs.debian.org (full text, mbox, reply):
Source: ikiwiki
Source-Version: 1.33.4
We believe that the bug you reported is fixed in the latest version of
ikiwiki, which is due to be installed in the Debian FTP archive:
ikiwiki_1.33.4.dsc
to pool/main/i/ikiwiki/ikiwiki_1.33.4.dsc
ikiwiki_1.33.4.tar.gz
to pool/main/i/ikiwiki/ikiwiki_1.33.4.tar.gz
ikiwiki_1.33.4_all.deb
to pool/main/i/ikiwiki/ikiwiki_1.33.4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 465110@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joey Hess <joeyh@debian.org> (supplier of updated ikiwiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 10 Feb 2008 13:34:28 -0500
Source: ikiwiki
Binary: ikiwiki
Architecture: source all
Version: 1.33.4
Distribution: stable-security
Urgency: high
Maintainer: Joey Hess <joeyh@debian.org>
Changed-By: Joey Hess <joeyh@debian.org>
Description:
ikiwiki - a wiki compiler
Closes: 465110
Changes:
ikiwiki (1.33.4) stable-security; urgency=high
.
* htmlscrubber security fix: Block javascript in uris. Closes: #465110
* meta: Check that the urls provided for authorurl, permalink, and openid
are safe and can't contain javascript.
* Add htmlscrubber test suite.
* Thanks to Josh Triplett for pointing out the holes and for his help
in implementing and checking fixes.
Files:
2e29116078a22cf014f69352c3060ca7 1015 web optional ikiwiki_1.33.4.dsc
e9004c649fd2868f98db48f9d1a88cb5 227057 web optional ikiwiki_1.33.4.tar.gz
8b5e0688e39749041a501898528f5aa5 273414 web optional ikiwiki_1.33.4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR97XI797/wQC1SS+AQIcVAf+M+0sHhxIeW0VA7ne/IAqyB+j+V9nE9Pf
+iQwXsVQMl69g/LZgkne+xCWV43ypkQl3ENK3plRzR8bPTcrOP2/xvcJk1ezlKem
UmTge4HPhONXlwzqwVmmEt5+Br2vYv5D1eVyuoUV0+7+yfieCx3QK/y+BOuU/gQ6
2psjsIvLshU+vR9uY3/4T7+tJAOyUAK72l6NkMa/MJSM+BiCBzgsB8GhEfXyElIe
XVr4SAqfa/ESIou3X4XalV61W/Q0XxdSTIq7j+Ib09zkDxENsBdwPuwGSKyiMStU
878d+/wye7RqncMF8yda51ZvD8t0kL7VeGaE3mNKAcmidjk4TfjUmA==
=Gell
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 10 May 2008 07:40:08 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:31:12 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon