Create  FrontPage  Index  Search  Changes  Login

Hiki Advisory 2005-08-04

 Japanese version may be found at http://hikiwiki.org/ja/advisory20050804.html.

Vulnerability in Hiki

Hiki Development Team

2005-08-04

I. Overview

Hiki is a Wiki clone in Ruby. A Cross-Site Scripting vulnerability and a problem that may cause losing a configuration file have been discovered in Hiki. A remote attacker may defraud a session ID and change configurations.

II. Systems affected

Hiki 0.8.0 - 0.8.2
Vulnerable
Hiki 0.6.6
Not vulnerable

III. Problems

Hiki 0.8.0 - 0.8.2 does not escape a page name when a user accesses missing pages.

Hiki 0.8.1 - 0.8.2 does not escape a page name in a 'Login' link.

Hiki 0.8.0 - 0.8.2 loses a configuration file by unexpected queries in saving configuration.

These problems may allow a remote attacker to inject malicious script (eg. JavaScript) into a page, defraud a session ID, and change any configuration including a password.

IV. Corrections

Hiki 0.8.3 escapes a page name in these cases and fixes a bug of losing a configuration file.

V. Solution

Hiki Development Team has released Version 0.8.3 as corrections of the vulnerability. Contact your vendor or distributor for a patch or an update as soon as possible. Please also refer to news and documentations published by vendors and distributors for the details.

VI. Acknowledgements

  • JPCERT/CC
  • IPA

[Related information]

Following documents are updated regularly. Please check for the latest version.

[Revision history]

2005/08/04 1.0 <http
//hikiwiki.org/en/advisory20050804.html>:First version in English.
Last modified:2005/08/04 10:03:09
Keyword(s):
References:[FrontPage]
This page is frozen.