[pmwiki-users] FIXED Re: PMWiki SECURITY ALERT

Sandy sandy at onebit.ca
Thu Aug 31 12:21:10 CDT 2006


Figured the fix should be announced in the thread announcing the problem.

Sandy

 From the 2.1.18 Release Announcement by Pm:

I've just released pmwiki 2.1.18, available from

     http://www.pmwiki.org/pub/pmwiki/pmwiki-2.1.18.tgz
     http://www.pmwiki.org/pub/pmwiki/pmwiki-2.1.18.zip
     http://www.sourceforge.net/projects/pmwiki
     svn://pmwiki.org/pmwiki/tags/latest

The primary purpose of this release is to close a potential
cross-site scripting vulnerability that could allow an attacker
to inject Javascript statements for execution on visitors' browsers.
No known actual exploits of this vulnerability have been reported,
but the vulnerability has been publicly reported on the
pmwiki-users mailing list.

For those who are running older versions of PmWiki, the vulnerability
can be avoided by either upgrading to this release, or by restricting
page editing privileges to trusted individuals.  If upgrading poses
a difficulty for any site, please contact pmichaud at pobox.com for
assistance and a patch for older versions of PmWiki can be made
available.

In addition to the security-related fix just mentioned, this release
adds support for image-based form input controls via the
(:input image:) tag.

Lastly, a problem with ?action=print failing to set the {$Action}
variable properly has been fixed.

Comments, questions welcome as always.

Pm

JB wrote:
> Any person that can edit any PMWiki page can
> add event attributes allowing them to execute 
> javascript code.
> 
> This vulnerability affects ordinary tables 
> using "||" and tables using table directives 
> "(:table:)", "(:cell:)", etc and also 
> divs using "(:div:)".  There might be more
> but I am unaware of them.
> 
> To see an example of this vulnerability visit web page:
> 
>   http://wiki.bybent.com/testwiki/pmwiki.php?n=Main.HomePage
> 
> 
> Patrick Michaud said it is not wise to allow wiki 
> authors to use javascript inside of a PMWiki page 
> source because that would be a security risk. Specifically 
> he said 
> 
>   here's a page that demonstrates some XSS vulnerabilities using
> "javascript:" ... 
> 
>    
> http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0445.html
> 
> 
> Patrick Michaud , when you fix this please let me know the details 
> so I can also apply them to my AdvancedTableDirectives recipe which 
> also has this vulnerability.





More information about the pmwiki-users mailing list