Get Alerted: to get immediate alerts of high priority security issues, please join the low-volume foswiki-announce
list - details at MailingLists
plain text
Security Alert: Multiple vulnerabilities addressed in Foswiki-2.1.3.
This alert covers a number of Severity 3 issues corrected through the normal bugfix process.
XSS / JavaScript injection vulnerabilities:
- Foswikitask:Item14069: The
bin/attach
script does not encode the uploaded filename. This can inject javascript into the response. filename, filepath and newname all require encoding.
- Foswikitask:Item14125: SlideShowPlugin inserts the querstring into the hover text of the start slideshow button, allowing javascript insertion.
- Foswikitask:Item14171: JQuery Render fails to encode the template name. A crafted URL can inject javascript into the error message for a missing/invalid template.
- Foswikitask:Item14235: Multiple script injection paths through the
edit
action, redirectto and templatetopic parameters. URL redirector abuse in the more
template.
- Foswikitask:Item14287: Its possible to inject javascript into the configure via the Extensions Installer default settings provided by the installed extension.
Other security related issues
- Foswikitask:Item14139:
debugenableplugins
can be set by users. This flag is supposed to only be accessible to Foswiki installations with DEBUG enabled. Users could potentially use this option to disable security related extensions, such as Anti-spam extensions. This was initially resolved in Foswikitask:Item12875 but was implemented incorrectly.
- Foswikitask:Item14281: On secure sites (https://) not all cookies have the Secure flag set. The critical Foswiki Session cookie does have the secure flag set.
Severity Level
Severity 3 issue: Foswiki content or browser is compromised
The severity level was assigned by the Foswiki
SecurityTaskTeam as documented in
SecurityAlertProcess
Vulnerable Software Versions
- Foswiki 1.0.0, Foswiki 1.0.0-beta1, Foswiki 1.0.0-beta2, Foswiki 1.0.0-beta3, Foswiki 1.0.1, Foswiki 1.0.2, Foswiki 1.0.3, Foswiki 1.0.4, Foswiki 1.0.5, Foswiki 1.0.6, Foswiki 1.0.7, Foswiki 1.0.8, Foswiki 1.0.9, Foswiki 1.0.9-rc1, Foswiki 1.0.9-RC2, Foswiki 1.0.10, Foswiki 1.0.10-rc1, Foswiki 1.1.0, Foswiki 1.1.0-beta1, Foswiki 1.1.0-RC1, Foswiki 1.1.1, Foswiki 1.1.2, Foswiki 1.1.3, Foswiki 1.1.3-RC1, Foswiki 1.1.4, Foswiki 1.1.4-RC2, Foswiki 1.1.5, Foswiki 1.1.6, Foswiki 1.1.7, Foswiki 1.1.8, Foswiki 1.1.9, Foswiki 1.1.10, Foswiki 1.1.10-RC1, Foswiki 1.2.0_Beta_1, Foswiki 1.2.0_Beta_2, Foswiki 2.0.0, Foswiki 2.0.0-RC1, Foswiki 2.0.0-RC2, Foswiki 2.0.1, Foswiki 2.0.2, Foswiki 2.0.3, Foswiki 2.1.0, Foswiki 2.1.0-Beta1, Foswiki 2.1.1, Foswiki 2.1.1-RC1, Foswiki 2.1.1-RC2, Foswiki 2.1.2
Fixed in
Foswiki 2.1.3
Impact
None of these issues are believed to result in compromise of the web server or of Foswiki data.
Details
Details are available in the individual linked tasks. These will be available for viewing following the general release of Foswiki 2.1.3.
Countermeasures
Good browser practices can now prevent most XSS injection attacks. We also recommend use of the appropriate Security headers. These can be set in the web server configuration.
Authors and Credits
Hotfix for Foswiki Production Release
No hotfixes are available for these vulnerabilities. Upgrade to Foswiki-2.1.3