dokuwiki: Insufficient escaping in user manager allows XSS attack

Debian Bug report logs - #780817
dokuwiki: Insufficient escaping in user manager allows XSS attack

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Rodrigo Campos <rodrigo@sdfg.com.ar>

To: submit@bugs.debian.org

Subject: dokuwiki: Insufficient escaping in user manager allows XSS attack

Date: Thu, 19 Mar 2015 21:21:22 +0000

Package: dokuwiki
Version: 0.0.20120125b-2+deb7u1
Severity: important

Dear Maintainer,

There's been a hotfix release for dokuwiki.

From the report: "The user's details were not properly escaped in the user
manager's edit form. This allows a registered user to edit her own name (using
the change profile option) to include malicious JavaScript code. The code is
executed when a super user tries to edit the user via the user manager."

You can see more details here:
	https://github.com/splitbrain/dokuwiki/issues/1081

This seems to affect the version in testing and unstable too.

Let me know if I can help to solve it ASAP





Thanks a lot,
Rodrigo

Message #10 received at 780817-close@bugs.debian.org (full text, mbox, reply):

From: Tanguy Ortolo <tanguy+debian@ortolo.eu>

To: 780817-close@bugs.debian.org

Subject: Bug#780817: fixed in dokuwiki 0.0.20140929.d-1

Date: Sun, 22 Mar 2015 18:48:59 +0000

Source: dokuwiki
Source-Version: 0.0.20140929.d-1

We believe that the bug you reported is fixed in the latest version of
dokuwiki, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 780817@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tanguy Ortolo <tanguy+debian@ortolo.eu> (supplier of updated dokuwiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 22 Mar 2015 17:00:41 +0100
Source: dokuwiki
Binary: dokuwiki
Architecture: source all
Version: 0.0.20140929.d-1
Distribution: unstable
Urgency: medium
Maintainer: Tanguy Ortolo <tanguy+debian@ortolo.eu>
Changed-By: Tanguy Ortolo <tanguy+debian@ortolo.eu>
Description:
 dokuwiki   - standards compliant simple to use wiki
Closes: 773429 779547 780817
Changes:
 dokuwiki (0.0.20140929.d-1) unstable; urgency=medium
 .
   * New upstream hotfix releases:
      + prevent XSS attack via SWF uploads. (CVE-2014-9253) (Closes: #773429)
      + fix privilege escalation in RPC API (CVE-2015-2172) (Closes: #779547)
      + fix an XSS vulnerability in the user manager (Closes: #780817)
Checksums-Sha1:
 f7f4d93aeb99880056a2fc3aca46d9861e8ed63c 2000 dokuwiki_0.0.20140929.d-1.dsc
 623c9f1351b8df704abe64a49e16550e60623c86 3283317 dokuwiki_0.0.20140929.d.orig.tar.gz
 21c3695e0a707b06f6e0e5d760147c1801a84416 94748 dokuwiki_0.0.20140929.d-1.debian.tar.xz
 37c0071556effd725988fd4b2b769fe807428e1b 1688518 dokuwiki_0.0.20140929.d-1_all.deb
Checksums-Sha256:
 699448f5ea71147779a4c8b28da20b6b90dd34b599b26b8e4fc8953b68cf01cb 2000 dokuwiki_0.0.20140929.d-1.dsc
 6fc6794e13c8e3fe07f5e02bd09cc3a167486a676e9822fa17aab0a45b094794 3283317 dokuwiki_0.0.20140929.d.orig.tar.gz
 e2023434920d5629e58924d9c4438c93179e79ffa451ff6170f8e98142fb9b3d 94748 dokuwiki_0.0.20140929.d-1.debian.tar.xz
 9b56acc8574e75815ba42e467fe8b3c9f1cfd1f2edef0d07ddc736f0bd07c51b 1688518 dokuwiki_0.0.20140929.d-1_all.deb
Files:
 da7a75494251ab1169d17b9553c64c9b 2000 web optional dokuwiki_0.0.20140929.d-1.dsc
 2bf2d6c242c00e9c97f0647e71583375 3283317 web optional dokuwiki_0.0.20140929.d.orig.tar.gz
 9adf20fbebbbca1a84bce8fe62dddf89 94748 web optional dokuwiki_0.0.20140929.d-1.debian.tar.xz
 dedab2fbe60ec10fd043558d95492ed2 1688518 web optional dokuwiki_0.0.20140929.d-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJVDwTlAAoJEOryzVHFAGgZEBcP/3NA9CuNFBY3wvvqsVhc7//0
TaWkWumN2IxciLAnhUsyTPR9zqRGsXHX5f7/4rA+5oOlFLVhW/QFcvLtOmz0BTbo
Oan0ij7wGIl4iycaiKoonw8TtlFleu9G8relivJX6HQz9AxxS9Bn/RmI+NDlxgfG
T8MyFNfXlCHtpE7eJF7qAQGWT/SB99AKpoQLljDaOPvkZSWMgmTmzH7Nr65fU55k
QcLdQN1On+C/g3IbBHNfw+18j6MQUWTLD50oicBLpKY0hWTnYVrfNAdvNYVxj49X
iUSoMMH4Nv4UAz0E0DqhhZA4C6td1c/fm7WUYBmq38J3ctNF2MnYSZbaQ5ppqlkp
f6YBZMTR8QaFrGQXCJcjCKYaPIhw28Fc/7YyFfE7FWfFjvu+tXIyKHEa1LT1iEVC
5gHGVTg00Vz376B/+O5n+DtqTZX5SUpZhAKWp8ih424k5K2YGFLLHXBIYEJRdJ1L
1iEKz/Atr6BmJssPwVBugGGEnK8CoOIgQf7DEQxwuXGMiprNEVD7Pzv8wZQ6D8km
ktTuo2thLJDLPtbso10tAfQcLtGtGefs7DrUytumGudseLiEND0BT/EA/IUCsI0f
hQs6exXJanT0tSJj0QQKJeaMGv1j5h6O90UzTusAKY5tnydn/End4K8gq2Q1tAk9
ksTGVwNcl8b6OkCj9VvC
=H0dC
-----END PGP SIGNATURE-----

Message #23 received at 780817@bugs.debian.org (full text, mbox, reply):

From: Rodrigo Campos <rodrigo@sdfg.com.ar>

To: 780817@bugs.debian.org

Cc: tanguy+debian@ortolo.eu

Subject: Can you please backport to stable?

Date: Tue, 24 Mar 2015 15:49:57 +0000

Hi,

Can you please backport the security fixes for stable? Or is that process
already ongoing?





Thanks a lot,
Rodrigo

Message #28 received at 780817@bugs.debian.org (full text, mbox, reply):

From: Rodrigo Campos <rodrigo@sdfg.com.ar>

To: 780817@bugs.debian.org

Cc: tanguy+debian@ortolo.eu

Subject: Re: Can you please backport to stable?

Date: Tue, 31 Mar 2015 13:54:15 +0100

On Tue, Mar 24, 2015 at 03:49:57PM +0000, Rodrigo Campos wrote:
> Hi,
> 
> Can you please backport the security fixes for stable? Or is that process
> already ongoing?

Hi again,

I contacted the security team (team@security.debian.org) and Salvatore
Bonaccorso answered me that there won't be a DSA for these bugs (this and the
others you fixed in the upload to unstable) but "can and would be nice
if fixed in stable as well via a stable-proposed-update".

I think you need to contact the release team for that, but not sure. Can you
please consider fixing this in stable via stable-proposed-update ? :)


Also, let me know if I can help in any way.




Thanks a lot,
Rodrigo

Message #33 received at 780817@bugs.debian.org (full text, mbox, reply):

From: Rodrigo Campos <rodrigo@sdfg.com.ar>

To: 780817@bugs.debian.org

Cc: tanguy+debian@ortolo.eu

Subject: Re: Can you please backport to stable?

Date: Tue, 7 Apr 2015 15:00:46 +0100

On Tue, Mar 31, 2015 at 01:54:15PM +0100, Rodrigo Campos wrote:
> On Tue, Mar 24, 2015 at 03:49:57PM +0000, Rodrigo Campos wrote:
> > Hi,
> > 
> > Can you please backport the security fixes for stable? Or is that process
> > already ongoing?
> 
> Hi again,
> 
> I contacted the security team (team@security.debian.org) and Salvatore
> Bonaccorso answered me that there won't be a DSA for these bugs (this and the
> others you fixed in the upload to unstable) but "can and would be nice
> if fixed in stable as well via a stable-proposed-update".
> 
> I think you need to contact the release team for that, but not sure. Can you
> please consider fixing this in stable via stable-proposed-update ? :)
> 
> 
> Also, let me know if I can help in any way.

Ping ? :)




Thanks a lot,
Rodrigo

Message #38 received at 780817@bugs.debian.org (full text, mbox, reply):

From: Rodrigo Campos <rodrigo@sdfg.com.ar>

To: 780817@bugs.debian.org

Cc: tanguy+debian@ortolo.eu

Subject: Re: Can you please backport to stable?

Date: Tue, 14 Apr 2015 16:02:41 +0100

On Tue, Apr 07, 2015 at 03:00:46PM +0100, Rodrigo Campos wrote:
> On Tue, Mar 31, 2015 at 01:54:15PM +0100, Rodrigo Campos wrote:
> > On Tue, Mar 24, 2015 at 03:49:57PM +0000, Rodrigo Campos wrote:
> > > Hi,
> > > 
> > > Can you please backport the security fixes for stable? Or is that process
> > > already ongoing?
> > 
> > Hi again,
> > 
> > I contacted the security team (team@security.debian.org) and Salvatore
> > Bonaccorso answered me that there won't be a DSA for these bugs (this and the
> > others you fixed in the upload to unstable) but "can and would be nice
> > if fixed in stable as well via a stable-proposed-update".
> > 
> > I think you need to contact the release team for that, but not sure. Can you
> > please consider fixing this in stable via stable-proposed-update ? :)
> > 
> > 
> > Also, let me know if I can help in any way.
> 
> Ping ? :)

Ping ping ?

Message #43 received at 780817@bugs.debian.org (full text, mbox, reply):

From: Rodrigo Campos <rodrigo@sdfg.com.ar>

To: 780817@bugs.debian.org

Cc: tanguy@ortolo.eu, adn@debian.org, adn+deb@diwi.org

Subject: Re: Can you please backport to stable?

Date: Thu, 30 Apr 2015 21:49:43 +0100

On Tue, Apr 14, 2015 at 04:02:41PM +0100, Rodrigo Campos wrote:
> On Tue, Apr 07, 2015 at 03:00:46PM +0100, Rodrigo Campos wrote:
> > On Tue, Mar 31, 2015 at 01:54:15PM +0100, Rodrigo Campos wrote:
> > > On Tue, Mar 24, 2015 at 03:49:57PM +0000, Rodrigo Campos wrote:
> > > > Hi,
> > > > 
> > > > Can you please backport the security fixes for stable? Or is that process
> > > > already ongoing?
> > > 
> > > Hi again,
> > > 
> > > I contacted the security team (team@security.debian.org) and Salvatore
> > > Bonaccorso answered me that there won't be a DSA for these bugs (this and the
> > > others you fixed in the upload to unstable) but "can and would be nice
> > > if fixed in stable as well via a stable-proposed-update".
> > > 
> > > I think you need to contact the release team for that, but not sure. Can you
> > > please consider fixing this in stable via stable-proposed-update ? :)
> > > 
> > > 
> > > Also, let me know if I can help in any way.
> > 
> > Ping ? :)
> 
> Ping ping ?

Sorry to disturb again. But the security bugs are now present in stable and
oldstable. Can you *please* consider fixing them via proposed-updates ?






Thanks a lot,
Rodrigo

Send a report that this bug log contains spam.