Submitted by : 127.0.0.1 at: 2004-10-01T23:41:03+00:00 (10 years ago)
Name :
Category : Severity : Status :
Optional subject :  
Optional comment :

Hello, I'm Jeremy Bae at STG Security, Inc. I've found the security vulnerability of Zwiki.

Due to an input validation flaw, the Zwiki is vulnerable to cross site scripting attacks.

Impacts Malicious attackers can inject and execute arbitrary script code in a user's browser session in context of an affected site.

proof of concept http://[victim]?/hi)>

recommend please filter user input.

XSS reference - CERT Advisory CA-2000-02 http://www.cert.org/advisories/CA-2000-02.html

Thank you.


comments:

... -- Fri, 01 Oct 2004 23:47:56 -0700 reply
Thanks. The above doesn't demonstrate this vulnerability. Other examples welcome.

... -- Mon, 25 Oct 2004 06:00:03 -0700 reply
http://zwiki.org/Victim is the working example.

example on IE --DeanG, Mon, 25 Oct 2004 15:44:56 -0700 reply
Example does generate the pop-up on IE 6.

Only works if your ZWiki is anonymously viewable -- Fri, 26 Nov 2004 01:11:07 -0800 reply
Interestingly, this only works if your ZWiki pages are anonymously accessible, otherwise the standard_error_message fails trying to access a page to find the .defaultPage() from, since standard_error_message is only ever executed as anonymous.

Fix -- Fri, 26 Nov 2004 01:20:53 -0800 reply
Here's the fix, to be applied to the file in the ZWiki product on disk, and in any instances of this standard_error_message that exist in your ZODB.:

 --- standard_error_message.dtml.original        Fri Nov 26 09:17:22 2004
 +++ standard_error_message.dtml Fri Nov 26 09:17:55 2004
 @@ -29,7 +29,7 @@
    <body>
      <p>
        I could not find any likely page matching 
 -      "<b><dtml-var "here.urlunquote(searchexpr)"></b>"
 +      "<b><dtml-var "here.urlunquote(searchexpr)" html_quote></b>"
      </p>
      <p>
        Click here to 

cheers,

Chris

Fix -- Tue, 30 Nov 2004 00:05:26 -0800 reply
Thanks all, applied this fix for 0.37.

property change -- Tue, 30 Nov 2004 00:11:25 -0800 reply
Status: open => closed

property change -- Mon, 20 Dec 2004 22:20:50 -0800 reply

... --simon, Fri, 30 Jan 2009 02:44:22 -0800 reply
Name: #925 zjIUscCReS => #925 Zwiki XSS vulnerability