Hiki local_css Plug-in Multiple Field XSS

2004-07-12T02:06:38
ID OSVDB:19336
Type osvdb
Reporter OSVDB
Modified 2004-07-12T02:06:38

Description

Vulnerability Description

Hiki contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'theme_url' and 'local_them_url' from the `local_css' plug-in. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Upgrade to version 0.6.5, 0.7.0-devel-20040626 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Hiki contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'theme_url' and 'local_them_url' from the `local_css' plug-in. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor URL: http://hikiwiki.org/ Vendor Specific Advisory URL Related OSVDB ID: 19334 Related OSVDB ID: 19339 Related OSVDB ID: 19341 Related OSVDB ID: 19332 Related OSVDB ID: 19337 Related OSVDB ID: 19333 Related OSVDB ID: 19335 Related OSVDB ID: 19338 Related OSVDB ID: 19340