Nedostatak programskog paketa dokuwiki

U radu paketa DokuWiki uočen je i ispravljen nedostatak čije iskorištavanje može dovesti do izvođenja XSS napada.

Paket:	dokuwiki .x
Operacijski sustavi:	Fedora 14, Fedora 15
Problem:	neodgovarajuća provjera ulaznih podataka
Iskorištavanje:	lokalno/udaljeno
Posljedica:	umetanje HTML i skriptnog koda
Rješenje:	programska zakrpa proizvođača
CVE:	CVE-2011-2510
Izvorni ID preporuke:	FEDORA-2011-8816
Izvor:	Fedora

Problem:
Problem leži u RSS mehanizmu koji nepravilno rukuje korisničkim poveznicama.
Posljedica:
Napadač može iskoristiti propust za izvođenje XSS (eng. Cross-Site Scripting) napada.
Rješenje:
Preporučuje se uvid u originalnu preporuku i primjena nadogradnje.

Izvorni tekst preporuke

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-8816
2011-06-28 20:08:38
--------------------------------------------------------------------------------

Name        : dokuwiki
Product     : Fedora 14
Version     : 0
Release     : 0.8.20110525.a.fc14
URL         : http://www.dokuwiki.org/dokuwiki
Summary     : Standards compliant simple to use wiki
Description :
DokuWiki is a standards compliant, simple to use Wiki, mainly aimed at
creating
documentation of any kind. It has a simple but powerful syntax which makes
sure
the datafiles remain readable outside the Wiki and eases the creation of
structured texts.

All data is stored in plain text files no database is required.

--------------------------------------------------------------------------------
Update Information:

Fix: XSS in DokuWiki's RSS embedding mechanism
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jun 28 2011 Andrew Colin Kissa <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 0-0.8.20110525.a
- Upgrade to latest upstream
- Fix Bugzilla bugs #717146, #717149, #717148, #715569
* Sun Mar 13 2011 Andrew Colin Kissa <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 0-0.7.20101107.a
- Fix geshi path
* Mon Jan 17 2011 Andrew Colin Kissa <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 0-0.6.20101107.a
- Fix selinux sub package
* Mon Jan 17 2011 Andrew Colin Kissa <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 0-0.5.20101107.a
- Upgrade to latest upstream
- Split package to create selinux package
- Fix Bugzilla bug #668386
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #717146 - CVE-2011-2510 dokuwiki: XSS in DokuWiki's RSS embedding
mechanism
        https://bugzilla.redhat.com/show_bug.cgi?id=717146
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update dokuwiki' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-8831
2011-06-28 20:09:53
--------------------------------------------------------------------------------

Name        : dokuwiki
Product     : Fedora 15
Version     : 0
Release     : 0.9.20110525.a.fc15
URL         : http://www.dokuwiki.org/dokuwiki
Summary     : Standards compliant simple to use wiki
Description :
DokuWiki is a standards compliant, simple to use Wiki, mainly aimed at
creating
documentation of any kind. It has a simple but powerful syntax which makes
sure
the datafiles remain readable outside the Wiki and eases the creation of
structured texts.

All data is stored in plain text files no database is required.

--------------------------------------------------------------------------------
Update Information:

Fix: XSS in DokuWiki's RSS embedding mechanism
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jun 28 2011 Andrew Colin Kissa <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 0-0.9.20110525.a
- Upgrade to latest upstream
- Fix Bugzilla bugs #717146, #717149, #717148, #715569
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #717146 - CVE-2011-2510 dokuwiki: XSS in DokuWiki's RSS embedding
mechanism
        https://bugzilla.redhat.com/show_bug.cgi?id=717146
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update dokuwiki' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce

Nedostatak programskog paketa dokuwiki

Tražilica portala

Aktivnosti

O CIS-u

Posljednje vijesti

Posljednji dokumenti

Nedostatak programskog paketa dokuwiki

Tražilica portala

Aktivnosti

O CIS-u

Posljednje sigurnosne preporuke

Posljednje vijesti

Popularni članci

Posljednji dokumenti