retitle 465110 ikiwiki: CVE-2008-080{8,9} two cross-site scripting issues thanks
Hi Joey, * Joey Hess <[EMAIL PROTECTED]> [2008-02-10 20:16]: > Package: ikiwiki > Version: 1.33.3 > Severity: important > Tags: security > > Josh Triplett noticed that ikiwiki's htmlscrubber did not sanitise uris > that contained javascript. Imact is that ikiwiki wikis that are > configured to allow unteusted users to edit could have javascript > embedded in <a href="">, or possibly <img src=""> or even <form action="">. > This javascript could be used to do, for example, cross-site scripting > attacks. There is no CVE for this issue at this time, AFAIK, since Josh > just noticed the problem last night. [...] There we go: ====================================================== Name: CVE-2008-0808 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0808 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=465110 Reference: CONFIRM:http://ikiwiki.info/security/#index30h2 Reference: SECUNIA:28911 Reference: URL:http://secunia.com/advisories/28911 Cross-site scripting (XSS) vulnerability in the meta plugin in Ikiwiki before 1.1.47 allows remote attackers to inject arbitrary web script or HTML via meta tags. ====================================================== Name: CVE-2008-0809 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0809 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=465110 Reference: CONFIRM:http://ikiwiki.info/security/#index27h2 Reference: SECUNIA:28911 Reference: URL:http://secunia.com/advisories/28911 Cross-site scripting (XSS) vulnerability in the htmlscrubber in Ikiwiki before 1.1.46 allows remote attackers to inject arbitrary web script or HTML via title contents. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpoa4XbqIgn6.pgp
Description: PGP signature