 |
|
You are here: Foswiki>Support Web>KnownIssuesOfFoswiki01x01>SecurityAlerts>SecurityAlert-XSSIssues-2017-0201 (06 May 2017, GeorgeClark)Edit Attach
Get Alerted: to get immediate alerts of high priority security issues, please join the low-volume
foswiki-announcelist - details at MailingLists
plain text
Security Alert: Multiple vulnerabilities addressed in Foswiki-2.1.3.
This alert covers a number of Severity 3 issues corrected through the normal bugfix process. XSS / JavaScript injection vulnerabilities:- Foswikitask:Item14069: The
bin/attachscript does not encode the uploaded filename. This can inject javascript into the response. filename, filepath and newname all require encoding. - Foswikitask:Item14125: SlideShowPlugin inserts the querstring into the hover text of the start slideshow button, allowing javascript insertion.
- Foswikitask:Item14171: JQuery Render fails to encode the template name. A crafted URL can inject javascript into the error message for a missing/invalid template.
- Foswikitask:Item14235: Multiple script injection paths through the
editaction, redirectto and templatetopic parameters. URL redirector abuse in themoretemplate. - Foswikitask:Item14287: Its possible to inject javascript into the configure via the Extensions Installer default settings provided by the installed extension.
- Foswikitask:Item14139:
debugenablepluginscan be set by users. This flag is supposed to only be accessible to Foswiki installations with DEBUG enabled. Users could potentially use this option to disable security related extensions, such as Anti-spam extensions. This was initially resolved in Foswikitask:Item12875 but was implemented incorrectly. - Foswikitask:Item14281: On secure sites (https://) not all cookies have the Secure flag set. The critical Foswiki Session cookie does have the secure flag set.
Severity Level
Severity 3 issue: Foswiki content or browser is compromised The severity level was assigned by the Foswiki SecurityTaskTeam as documented in SecurityAlertProcessVulnerable Software Versions
- Foswiki 1.0.0, Foswiki 1.0.0-beta1, Foswiki 1.0.0-beta2, Foswiki 1.0.0-beta3, Foswiki 1.0.1, Foswiki 1.0.2, Foswiki 1.0.3, Foswiki 1.0.4, Foswiki 1.0.5, Foswiki 1.0.6, Foswiki 1.0.7, Foswiki 1.0.8, Foswiki 1.0.9, Foswiki 1.0.9-rc1, Foswiki 1.0.9-RC2, Foswiki 1.0.10, Foswiki 1.0.10-rc1, Foswiki 1.1.0, Foswiki 1.1.0-beta1, Foswiki 1.1.0-RC1, Foswiki 1.1.1, Foswiki 1.1.2, Foswiki 1.1.3, Foswiki 1.1.3-RC1, Foswiki 1.1.4, Foswiki 1.1.4-RC2, Foswiki 1.1.5, Foswiki 1.1.6, Foswiki 1.1.7, Foswiki 1.1.8, Foswiki 1.1.9, Foswiki 1.1.10, Foswiki 1.1.10-RC1, Foswiki 1.2.0_Beta_1, Foswiki 1.2.0_Beta_2, Foswiki 2.0.0, Foswiki 2.0.0-RC1, Foswiki 2.0.0-RC2, Foswiki 2.0.1, Foswiki 2.0.2, Foswiki 2.0.3, Foswiki 2.1.0, Foswiki 2.1.0-Beta1, Foswiki 2.1.1, Foswiki 2.1.1-RC1, Foswiki 2.1.1-RC2, Foswiki 2.1.2
Impact
None of these issues are believed to result in compromise of the web server or of Foswiki data.Details
Details are available in the individual linked tasks. These will be available for viewing following the general release of Foswiki 2.1.3.Countermeasures
Good browser practices can now prevent most XSS injection attacks. We also recommend use of the appropriate Security headers. These can be set in the web server configuration.Authors and Credits
- Foswikitask:Item14125 Reported by WhiteHat Security (VULN ID - 50376672).
- Foswikitask:Item14235 findings by Intel performing a dynamic site scan on http://rocketboards.org.
- Foswikitask:Item14287 reported in the IRC channel by user "somedude".
Hotfix for Foswiki Production Release
No hotfixes are available for these vulnerabilities. Upgrade to Foswiki-2.1.3Edit | Attach | Print version | History: r4 < r3 < r2 < r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r4 - 06 May 2017, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy