Hiki Advisory 2005-08-04

Hiki Development Team

2005-08-04

I. Overview

Hiki is a Wiki clone in Ruby. A Cross-Site Scripting vulnerability and a problem that may cause losing a configuration file have been discovered in Hiki. A remote attacker may defraud a session ID and change configurations.

II. Systems affected

Hiki 0.8.0 - 0.8.2

Vulnerable

Hiki 0.6.6

Not vulnerable

III. Problems

Hiki 0.8.0 - 0.8.2 does not escape a page name when a user accesses missing pages.

Hiki 0.8.1 - 0.8.2 does not escape a page name in a 'Login' link.

Hiki 0.8.0 - 0.8.2 loses a configuration file by unexpected queries in saving configuration.

These problems may allow a remote attacker to inject malicious script (eg. JavaScript) into a page, defraud a session ID, and change any configuration including a password.

IV. Corrections

Hiki 0.8.3 escapes a page name in these cases and fixes a bug of losing a configuration file.

V. Solution

Hiki Development Team has released Version 0.8.3 as corrections of the vulnerability. Contact your vendor or distributor for a patch or an update as soon as possible. Please also refer to news and documentations published by vendors and distributors for the details.

VI. Acknowledgements

• JPCERT/CC
• IPA

[Related information]

Following documents are updated regularly. Please check for the latest version.

• JVN#38138980 Cross-site Scripting vulnerability in Hiki (Japanese) http://jvn.jp/jp/JVN%2338138980/
• Hiki Official Site https://hikiwiki.org/

[Revision history]

2005/08/04 1.0 <http

//hikiwiki.org/en/advisory20050804.html>:First version in English.