Debian Security Advisory DSA 1523-1 (ikiwiki)

Debian Security Advisory DSA 1523-1 (ikiwiki) describes a cross-site scripting vulnerability in the ikiwiki package

Reporter	Title	Published	Views	Family All 26
FreeBSD	ikiwiki -- javascript insertion via uris	10 Feb 200800:00	–	freebsd
CVE	CVE-2008-0808	19 Feb 200800:00	–	cve
CVE	CVE-2008-0809	19 Feb 200800:00	–	cve
Cvelist	CVE-2008-0808	19 Feb 200800:00	–	cvelist
Cvelist	CVE-2008-0809	19 Feb 200800:00	–	cvelist
Debian	[SECURITY] [DSA 1523-1] New ikiwiki packages fix cross-site scripting	17 Mar 200820:51	–	debian
Debian CVE	CVE-2008-0808	19 Feb 200800:00	–	debiancve
Debian CVE	CVE-2008-0809	19 Feb 200800:00	–	debiancve
Tenable Nessus	Debian DSA-1523-1 : ikiwiki - XSS	21 Mar 200800:00	–	nessus
Tenable Nessus	FreeBSD : ikiwiki -- javascript insertion via uris (739329c8-d8f0-11dc-ac2f-0016d325a0ed)	12 Feb 200800:00	–	nessus

# OpenVAS Vulnerability Test
# $Id: deb_1523_1.nasl 6616 2017-07-07 12:10:49Z cfischer $
# Description: Auto-generated from advisory DSA 1523-1 (ikiwiki)
#
# Authors:
# Thomas Reinke <[email protected]>
#
# Copyright:
# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com
# Text descriptions are largely excerpted from the referenced
# advisory, and are Copyright (c) the respective author(s)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#

include("revisions-lib.inc");
tag_insight = "Josh Triplett discovered that ikiwiki did not block Javascript in
URLs, leading to cross-site scripting vulnerabilities (CVE-2008-0808,
CVE-2008-0809).

For the stable distribution (etch), this problem has been fixed in
version 1.33.4.

For the unstable distribution (sid), this problem has been fixed in
version 2.31.1.

The old stable distribution (sarge) did not contain an ikiwiki package.

We recommend that you upgrade your ikiwiki package.";
tag_summary = "The remote host is missing an update to ikiwiki
announced via advisory DSA 1523-1.";

tag_solution = "https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201523-1";


if(description)
{
 script_id(60577);
 script_version("$Revision: 6616 $");
 script_tag(name:"last_modification", value:"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $");
 script_tag(name:"creation_date", value:"2008-03-19 20:30:32 +0100 (Wed, 19 Mar 2008)");
 script_cve_id("CVE-2008-0808", "CVE-2008-0809");
 script_tag(name:"cvss_base", value:"4.3");
 script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N");
 script_name("Debian Security Advisory DSA 1523-1 (ikiwiki)");



 script_category(ACT_GATHER_INFO);

 script_copyright("Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com");
 script_family("Debian Local Security Checks");
 script_dependencies("gather-package-list.nasl");
 script_mandatory_keys("ssh/login/debian_linux", "ssh/login/packages");
 script_tag(name : "solution" , value : tag_solution);
 script_tag(name : "insight" , value : tag_insight);
 script_tag(name : "summary" , value : tag_summary);
 script_tag(name:"qod_type", value:"package");
 script_tag(name:"solution_type", value:"VendorFix");
 exit(0);
}

#
# The script code starts here
#

include("pkg-lib-deb.inc");

res = "";
report = "";
if ((res = isdpkgvuln(pkg:"ikiwiki", ver:"1.33.4", rls:"DEB4.0")) != NULL) {
    report += res;
}

if (report != "") {
    security_message(data:report);
} else if (__pkg_match) {
    exit(99); # Not vulnerable.
}

07 Jul 2017 00:00Current

6.4Medium risk

Vulners AI Score6.4

EPSS0.00508