Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Re: STG Security Advisory: [SSA-20041122-12] Zwiki XSS vulnerability

Re: STG Security Advisory: [SSA-20041122-12] Zwiki XSS vulnerability

From: Chris Withers <chris_at_simplistix.co.uk>
Date: Fri, 26 Nov 2004 09:25:18 +0000

advisory_at_stgsecurity.com wrote:

> proof of concept
>
> http://[victim]/<img src=javascript:alert('hi')>

Just to note, this bug only affects ZWiki version after Zwiki 0.10.0rc1.

Also, the fix is pretty trivial, apply the following patch to
standard_error_message in all ZWiki folders (and on disk, so you don't
have to do it again ;-):

--- standard_error_message.dtml.original Fri Nov 26 09:17:22 2004
+++ standard_error_message.dtml Fri Nov 26 09:17:55 2004
@@ -29,7 +29,7 @@
    <body>
      <p>
        I could not find any likely page matching
- "<b><dtml-var "here.urlunquote(searchexpr)"></b>"
+ "<b><dtml-var "here.urlunquote(searchexpr)" html_quote></b>"
      </p>
      <p>
        Click here to

Sadly, I see I broke the bug tracker, 'cos it's also a ZWiki, and has
MUCH bigger problems than the above :-S (execution of any DTML in the
context of (hopefully!) the user that created it along with a total lack
of html quoting in the page :-(

In short, only use ZWiki if you know what you're doing, and preferably
only if it's not anonymously accessible...

*sigh*

Chris 

-- 
Simplistix - Content Management, Zope & Python Consulting
            - http://www.simplistix.co.uk
Received on Nov 28 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]