Hiki Advisory 2005-08-04
Hiki Development Team
Hiki is a Wiki clone in Ruby. A Cross-Site Scripting vulnerability and a problem that may cause losing a configuration file have been discovered in Hiki. A remote attacker may defraud a session ID and change configurations.
- Hiki 0.8.0 - 0.8.2
- Hiki 0.6.6
- Not vulnerable
Hiki 0.8.0 - 0.8.2 does not escape a page name when a user accesses missing pages.
Hiki 0.8.1 - 0.8.2 does not escape a page name in a 'Login' link.
Hiki 0.8.0 - 0.8.2 loses a configuration file by unexpected queries in saving configuration.
Hiki 0.8.3 escapes a page name in these cases and fixes a bug of losing a configuration file.
Hiki Development Team has released Version 0.8.3 as corrections of the vulnerability. Contact your vendor or distributor for a patch or an update as soon as possible. Please also refer to news and documentations published by vendors and distributors for the details.
Following documents are updated regularly. Please check for the latest version.
- JVN#38138980 Cross-site Scripting vulnerability in Hiki (Japanese) http://jvn.jp/jp/JVN%2338138980/
- Hiki Official Site http://hikiwiki.org/
- 2005/08/04 1.0 <http
- //hikiwiki.org/en/advisory20050804.html>:First version in English.