STG Security Advisory: [SSA-20041022-08] MoniWiki XSS vulnerability

Revision 1.0

Date Published: 2004-10-22 (KST)

Last Update: 2004-10-22

Disclosed by SSR Team (advisory (at) stgsecurity (dot) com [email concealed])

Summary

========

MoniWiki is a wiki web application used by many Korean Linux users.

It has a cross site scripting vulnerability.

Vulnerability Class

===================

Implementation Error: Input validation flaw

Details

=======

Due to an input validation flaw, the MoniWiki is vulnerable to cross site

scripting attacks.

http://[victim]/wiki.php/<script>alert("XSS Vulnerability exists")</script>

Impact

======

Medium: Malicious attackers can inject and execute arbitrary script code in

a user's browser session in context of an affected site.

Solution

=========

Update to MoniWiki 1.0.9

Affected Products

================

MoniWiki 1.0.8 and prior

Vendor Status: FIXED

=======================

2004-09-30 Vulnerability found.

2004-09-30 MoniWiki developer notified.

2004-10-21 MoniWiki 1.0.9 released.

2004-10-22 Official release.

Credits

======

Jeremy Bae at STG Security

[ reply ]