Create  FrontPage  Index  Search  Changes  Login

Hiki Advisory 2005-07-21

 Japanese version may be found at

Vulnerability in Hiki

Hiki Development Team


I. Overview

Hiki is a Wiki clone in Ruby. Hiki development team has discovered a Cross-Site Scripting vulnerability in a plugin function of Hiki.

II. Systems affected

Hiki 0.8.0 - 0.8.1
Hiki 0.6.6
Not vulnerable

III. Problems

Hiki does not escape double quotes in plugin strings, that allows a remote attacker to inject malicious script (eg. JavaScript) into a page.

IV. Corrections

Hiki 0.8.2 escapes double quotes in plugin strings and fixes this vulnerability.

V. Solution

Hiki Development Team has released Version 0.8.2 as corrections of the vulnerability. Contact your vendor or distributor for a patch or an update as soon as possible. Please also refer to news and documentations published by vendors and distributors for the details.

[Related information]

Following documents are updated regularly. Please check for the latest version.

  • Hiki Official Site
  • Cross site scripting - Wikipedia

[Revision history]

2005/07/22 1.0 <http
//>:First version in English.
Last modified:2005/07/22 11:35:03
This page is frozen.