[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] XSS Vulnerabilities in LabWiki



On Wed, Aug 22, 2012 at 12:32:29PM +0300, Netsparker Advisories wrote:
> Information
> --------------------
> Name :  XSS Vulnerabilities in LabWiki
> Software :  LabWiki 1.5 and possibly below.
> Vendor Homepage :  http://www.bioinformatics.org/phplabware/labwiki/index.php
> Vulnerability Type :  Cross-Site Scripting
> Severity :  Critical
> Researcher :  Canberk Bolat
> Advisory Reference :  NS-12-008
> 
> Description
> --------------------
> This wiki is powered by Qwiki Wiki, a minimalist PHP wiki engine
> originally developed by David Barrett, that uses plain text files to
> store data. The 'engine' is used to edit the data as well as to format
> it and present it as a web page. Significant modifications were done
> to the codes of this wiki for bugs and enhancements (XHTML compliance,
> UTF-8 encoding, backup maintainance, page deletion, etc.) by Santosh
> Patnaik (SP) who also largely seeded the wiki with new and old
> (non-wiki) documents.
> 
> Details
> --------------------
> LabWiki is affected by XSS vulnerabilities in version 1.5. Example PoC
> urls are as follows :
> 
> http://example.com/recentchanges.php?page_no='"--></style></script><script>alert(0x00039E)</script>&nothing=nothing
> http://example.com/index.php?page=What_is_wiki&from='"--></style></script><script>alert(0x0001C7)</script>
> 
> You can read the full article about Cross-Site Scripting vulnerability
> from here :
> 
> Cross-site Scripting: http://www.mavitunasecurity.com/crosssite-scripting-xss/
> 
> Solution
> --------------------
> No patch released.
> 
> Advisory Timeline
> --------------------
> 15/11/2011 - First contact: No response
> 01/01/2012 - Second contact: No response
> 22/08/2012 - Advisory Released
> 
> Credits
> --------------------
> It has been discovered on testing of Netsparker, Web Application
> Security Scanner - http://www.mavitunasecurity.com/netsparker/.
> 
> References
> --------------------
> MSL Advisory Link :
> http://www.mavitunasecurity.com/xss-vulnerabilities-in-labwiki/
> Netsparker Advisories : http://www.mavitunasecurity.com/netsparker-advisories/
> 
> About Netsparker
> --------------------
> Netsparker® can find and report security issues such as SQL Injection
> and Cross-site Scripting (XSS) in all web applications regardless of
> the platform and the technology they are built on. Netsparker's unique
> detection and exploitation techniques allows it to be dead accurate in
> reporting hence it's the first and the only False Positive Free web
> application security scanner.
> 
> -- 
> Netsparker Advisories, <advisories@xxxxxxxxxxxxxxxxxxxx>
> Homepage, http://www.mavitunasecurity.com/netsparker-advisories/

This looks a lot like what muuratsalo has discovered some time ago: http://osvdb.org/show/osvdb/76934 (there is more similar issues in OSVDB if you use advanced search). If I remember correctly from muuratsalo's emails he did get contact to vendor, but vendor did not fix all issues and wasn't co-operative in discussion.

Do you think NS-12-007 and NS-12-008 are new issues? If so we should request CVE-identifiers if these differ a lot of other XSS-issues. At the point where vendor does not fix issues like these nor reply I would say that people shouldn't be using the software at all.

- Henri Salo