[37530] in bugtraq
Re: STG Security Advisory: [SSA-20041122-12] Zwiki XSS vulnerability
daemon@ATHENA.MIT.EDU (Chris Withers)
Fri Nov 26 12:52:56 2004
Message-ID: <41A6F67E.2000304@simplistix.co.uk>
Date: Fri, 26 Nov 2004 09:25:18 +0000
From: Chris Withers <chris@simplistix.co.uk>
MIME-Version: 1.0
To: advisory@stgsecurity.com
Cc: bugtraq@securityfocus.com, simon@joyful.com
In-Reply-To: <20041124030025.9587.qmail@www.securityfocus.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
advisory@stgsecurity.com wrote:
> proof of concept
>
> http://[victim]/<img src=javascript:alert('hi')>
Just to note, this bug only affects ZWiki version after Zwiki 0.10.0rc1.
Also, the fix is pretty trivial, apply the following patch to
standard_error_message in all ZWiki folders (and on disk, so you don't
have to do it again ;-):
--- standard_error_message.dtml.original Fri Nov 26 09:17:22 2004
+++ standard_error_message.dtml Fri Nov 26 09:17:55 2004
@@ -29,7 +29,7 @@
<body>
<p>
I could not find any likely page matching
- "<b><dtml-var "here.urlunquote(searchexpr)"></b>"
+ "<b><dtml-var "here.urlunquote(searchexpr)" html_quote></b>"
</p>
<p>
Click here to
Sadly, I see I broke the bug tracker, 'cos it's also a ZWiki, and has
MUCH bigger problems than the above :-S (execution of any DTML in the
context of (hopefully!) the user that created it along with a total lack
of html quoting in the page :-(
In short, only use ZWiki if you know what you're doing, and preferably
only if it's not anonymously accessible...
*sigh*
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
