•  
      request #10219 XSS through the Transclude or FrameInclude plugin of PHPWiki
    Infos
    #10219
    Thomas Gerbet (tgerbet)
    2017-06-12 08:54
    2017-05-15 12:06
    10484
    Details
    XSS through the Transclude or FrameInclude plugin of PHPWiki

    A XSS can be injected into wiki page by using the Transclude plugin.

    Impact

    An attacker could use this vulnerability to force a victim to execute uncontrolled code.
    CVSSv3 score: 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

    Exploitation

    1. Create a wiki page with the following content <?plugin Transclude src=javascript:alert(1) ?>
    2. Access the page the newly created wiki page

    References

    CWE 79
    OWASP Cross-site Scripting

    Doc/Wiki
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2017-05-23
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2017-05-30 09:02
    Adding planned disclosure date.

    Issue has been fixed in PHPWiki by the maintainer. The Transclude plugin is fixed at revision 10011. FrameInclude is no more part of recent PHPWiki releases.
    User avatar
    Thomas Gerbet (tgerbet)2017-05-22 12:06
    The maintainer of PHPWiki has also been warned about the issue in the FrameInclude plugin.
    User avatar
    Thomas Gerbet (tgerbet)2017-05-20 23:59
    Reopening, FrameInclude plugin has the exact same issue. Fix under review at gerrit #8453.

    • Summary
      -XSS through the Transclude plugin of PHPWiki 
      +XSS through the Transclude or FrameInclude plugin of PHPWiki 
    • Status changed from Closed to Reopen
    • Close date cleared
    User avatar
    Thomas Gerbet (tgerbet)2017-05-18 14:50
    Marc-Etienne Vargenau has acknowledged the initial contact, full vulnerability details has been transmitted.
    User avatar
    Thomas Gerbet (tgerbet)2017-05-17 15:04
    For information, the vulnerability is also present upstream. No way to report security issues is given on the Sourceforge project pages [1], I have tried to reach out directly to Marc-Etienne Vargenau which seem to be the last active maintainer. Waiting for a response.



    [1] https://sourceforge.net/projects/phpwiki/