Anwiki CMS

Anwiki CMS : the first wiki/CMS dedicated to multilingual contents

FS#147 - XSS issue

Attached to Project: Anwiki CMS
Opened by anw (anw) - Sunday, 12 December 2010, 17:13 GMT
Last edited by anw (anw) - Sunday, 12 December 2010, 23:18 GMT
Task Type Security issue
Category Core
Status Closed
Assigned To anw (anw)
Operating System All
Severity High
Priority Urgent
Reported Version Anwiki 0.2.4
Due in Version Anwiki 0.2.5
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


Damon Haidary reported 2 more XSS issues. Details will be providen when security fix will be released.
This task depends upon

Closed by  anw (anw)
Sunday, 12 December 2010, 23:18 GMT
Reason for closing:  Fixed
Comment by anw (anw) - Sunday, 12 December 2010, 22:13 GMT
I spent a few hours escaping dynamic values on each template. This should secure the system, but I hope to find a better way to protect against XSS (maybe using a template system).
Comment by anw (anw) - Monday, 13 December 2010, 00:20 GMT
Security fix is released. Here are XSS details:

First one requires POST -

Second only needs a GET -;alert%28%22hi%22%29;x=%22