Ubuntu
dokuwiki package

XSS vulnerability in dokuwiki

Bug #147993 reported by Laurent on 2007-10-02

258

Affects		Status	Importance	Assigned to	Milestone
	dokuwiki (Ubuntu)	Fix Released	Medium	Unassigned
	Dapper	Fix Released	Medium	Kees Cook
	Edgy	Fix Released	Medium	Kees Cook
	Feisty	Fix Released	Medium	Kees Cook

Bug Description

Binary package hint: dokuwiki

Hi,

According to dokuwiki issue tracking system, there is an XSS vulnerability in dokuwiki: http://bugs.splitbrain.org/index.php?do=details&task_id=1195

Copy of the bug summary:
Compass Security discovered an XSS vulnerability in DokuWiki's spellchecker backend.

The spellchecker tests the UTF-8 capabilities of the used browser by sending an UTF-8 string to the backend, which will send it back unfiltered. By comparing string length the spellchecker can work around broken implementations. An attacker could construct a form to let users send JavaScript to the spellchecker backend, resulting in malicious JavaScript being executed in their browser.

Affected are all versions up to and including 2007-06-26 even when the spell checker is disabled.

The vulnerability is only exploitable with Microsoft Internet Explorer (because of its broken MIME handling) other browsers will not execute the JavaScript sent back.

A new updated release 2007-06-26b was made available at http://www.splitbrain.org/go/dokuwiki

You may fix the problem yourself by replacing the spell_utf8test() function in lib/exe/spellcheck.php with the following code:

function spell_utf8test(){
print substr($_POST['data'],0,3);
}

If you fix it yourself you should increase the number in conf/msg to 10 for disabling update notification for this issue.

CVE References

2007-3930

Revision history for this message

Scott Kitterman (kitterman) wrote on 2007-10-02:

#1

Already fixed in Gutsy (we have the upstream version with the correction).

Changed in dokuwiki:
status:	New → Fix Released

Revision history for this message

Scott Kitterman (kitterman) wrote on 2007-10-02:

#2

Feisty has the unfixed version, so confirmed. Someone ought to look into if Dapper/Edgy versions are affected.

Changed in dokuwiki:
importance:	Undecided → Medium
status:	New → Confirmed

Luca Falavigna (dktrkranz) on 2007-10-02

Changed in dokuwiki:
status:	New → Confirmed
status:	New → Confirmed

Revision history for this message

Luca Falavigna (dktrkranz) wrote on 2007-10-02:

#3

dokuwiki_0.0.20061106-6ubuntu0.1.debdiff Edit (2.1 KiB, text/plain)

Debdiff for feisty-security.

Revision history for this message

Luca Falavigna (dktrkranz) wrote on 2007-10-02:

#4

dokuwiki_0.0.20060309-5ubuntu0.1.debdiff Edit (1.8 KiB, text/plain)

Debdiff for edgy-security.

Revision history for this message

Luca Falavigna (dktrkranz) wrote on 2007-10-02:

#5

dokuwiki_0.0.20050922-4ubuntu1.2.debdiff Edit (1.8 KiB, text/plain)

Debdiff for dapper-security.

Revision history for this message

Kees Cook (kees) wrote on 2007-10-02:

#6

Thanks! I'm getting these built now.

Changed in dokuwiki:
assignee:	nobody → keescook
status:	Confirmed → In Progress
assignee:	nobody → keescook
status:	Confirmed → In Progress
assignee:	nobody → keescook
status:	Confirmed → In Progress

Kees Cook (kees) on 2007-10-03

Changed in dokuwiki:
assignee:	nobody → keescook
importance:	Undecided → Medium
importance:	Undecided → Medium
status:	In Progress → Fix Released
importance:	Undecided → Medium
status:	In Progress → Fix Released
status:	In Progress → Fix Released
assignee:	keescook → nobody

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.