Hiki Advisory 2005-07-21
Japanese version may be found at https://hikiwiki.org/ja/advisory20050721.html.
Vulnerability in Hiki
Hiki Development Team
2005-07-21
I. Overview
Hiki is a Wiki clone in Ruby. Hiki development team has discovered a Cross-Site Scripting vulnerability in a plugin function of Hiki.
II. Systems affected
- Hiki 0.8.0 - 0.8.1
- Vulnerable
- Hiki 0.6.6
- Not vulnerable
III. Problems
Hiki does not escape double quotes in plugin strings, that allows a remote attacker to inject malicious script (eg. JavaScript) into a page.
IV. Corrections
Hiki 0.8.2 escapes double quotes in plugin strings and fixes this vulnerability.
V. Solution
Hiki Development Team has released Version 0.8.2 as corrections of the vulnerability. Contact your vendor or distributor for a patch or an update as soon as possible. Please also refer to news and documentations published by vendors and distributors for the details.
[Related information]
Following documents are updated regularly. Please check for the latest version.
- Hiki Official Site https://hikiwiki.org/
- Cross site scripting - Wikipedia http://en.wikipedia.org/wiki/Cross_site_scripting
[Revision history]
- 2005/07/22 1.0 <http
- //hikiwiki.org/en/advisory20050721.html>:First version in English.
Keyword(s):
References:[FrontPage]