FS#147 : XSS issue

Anwiki CMS : the first wiki/CMS dedicated to multilingual contents

FS#147 - XSS issue

Attached to Project: Anwiki CMS
Opened by anw (anw) - Sunday, 12 December 2010, 17:13 GMT
Last edited by anw (anw) - Sunday, 12 December 2010, 23:18 GMT

Task Type	Security issue
Category	Core
Status	Closed
Assigned To	anw (anw)
Operating System	All
Severity	High
Priority	Urgent
Reported Version	Anwiki 0.2.4
Due in Version	Anwiki 0.2.5
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Damon Haidary reported 2 more XSS issues. Details will be providen when security fix will be released.

This task depends upon

Closed by anw (anw)
Sunday, 12 December 2010, 23:18 GMT
Reason for closing: Fixed

Comments (2)
Related Tasks (0/0)

Comment by anw (anw) - Sunday, 12 December 2010, 22:13 GMT

I spent a few hours escaping dynamic values on each template. This should secure the system, but I hope to find a better way to protect against XSS (maybe using a template system).

Comment by anw (anw) - Monday, 13 December 2010, 00:20 GMT

Security fix is released. Here are XSS details:

First one requires POST -
http://fiddle.jshell.net/QBU2A/show/light/#redirect

Second only needs a GET -
http://www.anwiki.com/%22;alert%28%22hi%22%29;x=%22

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Anwiki CMS

FS#147 - XSS issue

Details

Loading...