XSS bug in PEAR::Text_Wiki 1.1.0

by Michael Mayer - Sat, Jun 10 2006

This bug was found and reported by Michael Mayer (Liquid Bytes) on Jun 9, 2006.

Description

The raw markup rule of PEAR::Text_Wiki (release 1.1.0) is a very simple way to inject any JavaScript or other possibly malicious code into a Wiki page (even if the html markup rule is disabled!). This is known as cross-site scripting (XSS).

Example

See the Heise Security Forum (German). You can test it in the YaWiki Sandbox.

Solution

Upgrade to the next stable release. This bug has been fixed in CVS.

External References

• PEAR bug database
• Text_Wiki CVS
• YaWiki Home Page
• Heise Security Forum (German)

Print this page  PDF version

More News

• Trackback support for AWF
• AWF 2.10 released
• Demo site is online again
• AWF-CMS.org is moving to a new server
• New default design for AWF 2.10
• AWF runs under Windows and XAMPP 1.5.1
• Security Bugs
• New online documentation
• Work on LDAP support finished
• LDAP support for AWF
• PEAR::Text_Wiki_Mediawiki
• OpenSourceCMS.com will not list AWF-CMS
• New features for AWF-CMS.org

3 Trackbacks

• 10.08.07 MOBY: Bookmarks
  I can't add your post to Digg. How I do this? more
• 15.08.07 Mr.Rick: Add Page
  I don't added your post to del.icio.us more
• 17.08.07 Mr.Roy: Add Article
  How I add article to your blog? more

You must be logged in to post a comment.

Trackback URL for this entry: http://www.awf-cms.org/trackback/AWF_Document/170

Copyright © 2000-2005 AWF-CMS.org
The project is funded by Liquid Bytes Technologies and through donations of the user community. AWF is Free Software and available under the terms of the GNU General Public License. This page was viewed 3382 times so far.