Next Page >>
wiki page
CVE Name: CVE-2008-1000
*Vulnerability Description*
MacOS X Server 10.5 [1], also known as Leopard Server features a Wiki
Server [2], which is a multiuser web application written in Python. The
Wiki Server is vulnerable to a path traversal attack, which can be
exploited by non-privileged system users via a forged file upload to
write arbitrary files on locations in the server filesystem, restricted
only by privileges of the Wiki Server application.
Wikepage Wiki v.2007-2 Cross-Site Scripting
Author: Gerendi Sandor Attila
Date: April 09, 2008
Package: Wikepage Wiki
Product homepage: http://wikepage.org/
Versions Affected: v.2007-2 (Other versions may also be affected)
Severity: XSS
Input passed to "wiki" in "index.php" is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when malicious data is viewed.
# Name : Vigile CMS v1.8 Multiple Remote XSS Vulnerability
# Download : http://www.itcms.it/
# Date : 20-09-2007
# Author : x0kster
# Mail : x0kster@gmail.com
# Note : For works, the wiki or the download module must be installed in the site.
#
# PoCs :
#
# Wiki 1 : http://[SITE]/[VIGILE_CMS_PATH]/index.php?nav=[WIKINAME]&title=[XSS]
# Wiki 2 : http://[SITE]/[VIGILE_CMS_PATH]/index.php/nav=[WIKINAME]?title=[XSS]
It was discovered that the unused SpellChecker extension in Moodle did not
correctly handle temporary files. If the tool had been locally modified,
it could be made to overwrite arbitrary local files via symlinks.
(CVE-2008-5153)
Mike Churchward discovered that Moodle did not correctly filter Wiki page
titles in certain areas. An authenticated remote attacker could exploit
this to cause cross-site scripting (XSS), which could be used to modify
or steal confidential data of other users within the same web domain.
(CVE-2008-5432, MSA-08-0022)
Debian Security Advisory DSA-2366-1 security@debian.org
http://www.debian.org/security/ Jonathan Wiltshire
December 18, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : mediawiki
Vulnerability : multiple
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-1578 CVE-2011-1579 CVE-2011-1580 CVE-2011-1587
CVE-2011-4360 CVE-2011-4361
Debian Security Advisory DSA-1901-1 security@debian.org
http://www.debian.org/security/ Giuseppe Iuculano
October 05, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : mediawiki1.7
Vulnerability : several vulnerabilities
Problem type : remote
Debian-specific: no
CVE IDs : CVE-2008-5249 CVE-2008-5250 CVE-2008-5252 CVE-2009-0737
Debian Bugs : 508868 508869 508870 514547
- PRE-REGISTER: at http://toorcamp.org/registration.
- SUBMIT A TALK OR WORKSHOP: at http://toorcamp.org/cfp
- ORGANIZE A CAMPSITE: please fill out the sign-up form at http://toorcamp.org/campsite-signup and make sure
to create a wiki page for your campsite at http://wiki.toorcamp.org/wiki/Category:Campsites. Email campsite
questions to campsites@toorcon.org.
- CABIN REQUEST: please email cabins@toorcon.org for more information.
- SPONSORSHIP OPPORTUNITIES: We are currently looking for sponsors for the camp. If you’re interested in
Debian Security Advisory DSA-2022-1 security@debian.org
http://www.debian.org/security/ Nico Golde
March 23th, 2010 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : mediawiki
Vulnerability : several
Problem type : remote
Debian-specific: no
Debian bug : none
CVE ID : none assigned yet
Information
-----------------------------------
Name : XSS vulnerability in TWiki
Software : TWiki 5.0.1 and possibily below.
Vendor Hompeage : http://twiki.org/
Vulnerability Type : Cross-Site Scripting
Severity : High
Researcher : Mesut Timur <mesut [at] mavitunasecurity [dot] com>
Advisory Reference : NS-11-005
CVE : CVE-2011-1838
computing resources are currently graciously donated by the Openwall
Project.
If you have an interest in the Open Source security space, you are
encouraged to participate in the oss-security community by adding content
to the wiki, contributing to mailing list discussions, or joining us on
IRC.
More information can be found on the group's wiki page here:
http://oss-security.openwall.org
======================================================================
TikiWiki <= 1.9.8.1 Cross Site Scripting / Local File Inclusion
======================================================================
Author: L4teral <l4teral [4t] gmail com>
Impact: Cross Site Scripting
Local File Inclusion
Status: patch available
Debian Security Advisory DSA-1976-1 security@debian.org
http://www.debian.org/security/ Giuseppe Iuculano
January 22, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : dokuwiki
Vulnerability : several vulnerabilities
Problem type : remote
Debian-specific: no
Debian bugs : 565406
CVE Ids : CVE-2010-0287 CVE-2010-0288 CVE-2010-0289
Advisory: Tiki Wiki CMS Groupware Stored Cross-Site-Scripting
Advisory ID: INFOSERVE-ADV2011-07
Author: Stefan Schurtz
Contact: security@infoserve.de
Affected Software: Successfully tested on Tiki 8.1 & 6.4 LTS (affects all current releases)
Vendor URL: http://info.tiki.org/
Vendor Status: fixed
CVE-ID: CVE-2011-4551
==========================
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Several vulnerabilities have been reported in MoinMoin Wiki Engine.
Background
==========
MoinMoin is an advanced, easy to use and extensible Wiki Engine.
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
It was discovered that several wiki actions and preference settings in
MoinMoin were not protected from cross-site request forgery (CSRF). If an
authenticated user were tricked into visiting a malicious website while
logged into MoinMoin, a remote attacker could change the user's
configuration or wiki content. (CVE-2010-0668, CVE-2010-0717)
On Wed, Jul 20, 2011 at 02:40:25PM +0200, advisory@htbridge.ch wrote:
> Vulnerability ID: HTB23027
> Reference: http://www.htbridge.ch/advisory/xss_in_tiki_wiki_cms_groupware.html
> Product: Tiki Wiki CMS Groupware
> Vendor: info.tiki.org ( http://info.tiki.org )
> Vulnerable Version: 7.0 and probably prior
> Tested on: 7.0
> Vendor Notification: 29 June 2011
> Vulnerability Type: XSS (Cross Site Scripting)
> Status: Fixed by Vendor
in
XSS. To complement his efforts, there is an excellent XSS prevention
cheat
sheet created by "Jeff Williams" (Founder and CEO, Aspect Security). As
far
as I have seen, this wiki page provides the most comprehensive
information
on protecting yourself from XSS on the internet. It advises using the
OWASP
ESAPI api to mitigate any XSS arising from untrusted user input.
Vulnerability ID: HTB23027
Reference: http://www.htbridge.ch/advisory/xss_in_tiki_wiki_cms_groupware.html
Product: Tiki Wiki CMS Groupware
Vendor: info.tiki.org ( http://info.tiki.org )
Vulnerable Version: 7.0 and probably prior
Tested on: 7.0
Vendor Notification: 29 June 2011
Vulnerability Type: XSS (Cross Site Scripting)
Status: Fixed by Vendor
Risk level: Medium
Everyone knows the invaluable XSS cheat sheet maintained by "RSnake". It is
all about breaking things and features all the scenarios that can result in
XSS. To complement his efforts, there is an excellent XSS prevention cheat
sheet created by "Jeff Williams" (Founder and CEO, Aspect Security). As far
as I have seen, this wiki page provides the most comprehensive information
on protecting yourself from XSS on the internet. It advises using the OWASP
ESAPI api to mitigate any XSS arising from untrusted user input.
I was evaluating this ESAPI api and the recommendations given on the wiki to
see if there are any potential flaws. Any weakness impacts a very large
-------------------------------------------------------------------
PmWiki <= 2.2.34 (pagelist) Remote PHP Code Injection Vulnerability
-------------------------------------------------------------------
author...............: Egidio Romano aka EgiX
mail.................: n0b0d13s[at]gmail[dot]com
software link........: http://www.pmwiki.org/
affected versions....: from 2.0.0 to 2.2.34
[-] vulnerable code in PageListSort() function defined into /scripts/pagelist.php
> the LGPL license [2].
>
> Links:
> Project's Web Page http://code.google.com/p/deeptoad/
> Download Web Page http://code.google.com/p/deeptoad/downloads/list
> Wiki http://code.google.com/p/deeptoad/w/list
>
> References:
> [1] http://ssdeep.sourceforge.net/
> [2] http://www.gnu.org/licenses/lgpl.html
>
Debian Security Advisory DSA 1371-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
September 11th, 2007 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : phpwiki
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2007-2024 CVE-2007-2025 CVE-2007-3193
Debian Bug : 429201 441390
Sponsoring ==========
If you want to support the initiative and gain visibility by
sponsoring, please contact us by writing an e-mail to info(AT)hack.lu
Web site and wiki =================
http://www.hack.lu/
CfP website : http://2010.hack.lu/cfp/
Original Advisory URL: http://yehg.net/lab/pr0js/advisories/
Vendor Released Info:
http://community.zikula.org/index.php?module=News&func=display&sid=3041&title=zikula-1.2.5-released
Zikula 1.2.5 Changlog:
http://code.zikula.org/core12/browser/tags/Zikula-1.2.5/src/docs/CHANGELOG
CSRF Wiki: https://secure.wikimedia.org/wikipedia/en/wiki/Cross-site_request_forgery
#yehg [2011-02-01]
---------------------------------
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[xoops_2.5.0]_cross_site_scripting
Vendor Announcement: http://xoops.org/modules/news/article.php?storyid=5851
What XSS Can Do: http://yehg.net/lab/pr0js/view.php/What%20XSS%20Can%20Do.pdf
XSS FAQs: http://www.cgisecurity.com/articles/xss-faq.shtml
XSS (wiki): http://en.wikipedia.org/wiki/Cross-site_scripting
XSS (owasp): http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
CWE-79: http://cwe.mitre.org/data/definitions/79.html
of features that should be considered when conducting an evaluation. The
WASSEC project does not promote any specific products or tools, but instead
provides valuable information to help you make your own decision about which
of these tools best meets your needs.
The WASSEC document be found here in both wiki and PDF formats:
http://projects.webappsec.org/Web-Application-Security-Scanner-Evaluation-Cr
iteria
A large group of volunteers have contributed their expertise to the WASSEC
project. If you have questions or would like to contribute to future
If you want to support the initiative and gain visibility by sponsoring,
please contact us by writing an e-mail to info(AT)hack.lu
Web site and wiki:
------------------
http://2009.hack.lu/
Debian Security Advisory DSA-1553-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
April 20, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : ikiwiki
Vulnerability : cross-site request forgery
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-0165
Debian Bug : 475445
forms in the Global Search Engine.
CVE-2010-1615
Multiple SQL injection vulnerabilities allow remote attackers
to execute arbitrary SQL commands via vectors related to (1)
the add_to_log function in mod/wiki/view.php in the wiki
module, or (2) "data validation in some forms elements"
related to lib/form/selectgroups.php.
CVE-2010-1616
Moodle can create new roles when restoring a course, which
Debian Security Advisory DSA-2020-1 security@debian.org
http://www.debian.org/security/ Nico Golde
March 20th, 2010 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : ikiwiki
Vulnerability : insufficient input sanitization
Problem type : local/remote
Debian-specific: no
Debian bug : none
CVE ID : none assigned yet
Next Page>>
|
