TikiWiki tiki-remind_password.php Unspecified XSS

2006-05-25T12:05:04
ID OSVDB:26051
Type osvdb
Reporter Blwood(blwood@skynet.be)
Modified 2006-05-25T12:05:04

Description

Vulnerability Description

TikiWiki contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate unspecified variables upon submission to the tiki-remind_password.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user\'s browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Upgrade to version 1.9.3.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

TikiWiki contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate unspecified variables upon submission to the tiki-remind_password.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user\'s browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor URL: http://tikiwiki.org/ Vendor Specific News/Changelog Entry: http://sourceforge.net/project/shownotes.php?group_id=64258&release_id=421367 Secunia Advisory ID:20334 Related OSVDB ID: 26048 Related OSVDB ID: 26049 Related OSVDB ID: 26055 Related OSVDB ID: 26056 Related OSVDB ID: 26050 Related OSVDB ID: 26052 Related OSVDB ID: 26054 Related OSVDB ID: 26059 Related OSVDB ID: 26053 Related OSVDB ID: 26057 Related OSVDB ID: 26058 Related OSVDB ID: 26060 Related OSVDB ID: 26061 Related OSVDB ID: 26062 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-05/0565.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-06/0072.html FrSIRT Advisory: ADV-2006-2024 CVE-2006-2635 Bugtraq ID: 18143