Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #10219 XSS through the Transclude or FrameInclude plugin of PHPWiki
    Actions
    Infos
    #10219
    Thomas Gerbet (tgerbet)
    2017-06-12 08:54
    2017-05-15 12:06
    10484
    Details
    XSS through the Transclude or FrameInclude plugin of PHPWiki

    A XSS can be injected into wiki page by using the Transclude plugin.

    Impact

    An attacker could use this vulnerability to force a victim to execute uncontrolled code.
    CVSSv3 score: 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

    Exploitation

    1. Create a wiki page with the following content <?plugin Transclude src=javascript:alert(1) ?>
    2. Access the page the newly created wiki page

    References

    CWE 79
    OWASP Cross-site Scripting

    Doc/Wiki
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2017-05-23
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #10116 Tuleap Releases 9.8 Delivered 2017-05-29 12:23 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #10219

    Artifact Tracker v5

    request #10286 phpwiki link does not work with FTP URL

    Git commit

    tuleap/tuleap/stable

    Merge commit 'refs/changes/98/8398/1' of ssh://gerrit.tuleap.net:29418/tuleap into stable bb4572ca11
    User avatar Nicolas Terray (nterray) , 2017-05-17 10:58
    request #10219: XSS through the Transclude plugin of PHPWiki 7f4acef33f
    User avatar Thomas Gerbet (tgerbet) , 2017-05-16 14:00
    Merge commit 'refs/changes/53/8453/2' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 26a81f39ea
    User avatar Marie Ange Garnier (marieange) , 2017-05-23 10:25
    request #10219: XSS through the FrameInclude plugin of PHPWiki d1dc3feccc
    User avatar Thomas Gerbet (tgerbet) , 2017-05-22 14:33
    Referenced by request #10219

    Artifact Tracker v5

    rel #10116 9.8

    Other

    gerrit #8398
    gerrit #8453
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2017-05-30 09:02
    Adding planned disclosure date.

    Issue has been fixed in PHPWiki by the maintainer. The Transclude plugin is fixed at revision 10011. FrameInclude is no more part of recent PHPWiki releases.
    User avatar
    Thomas Gerbet (tgerbet)2017-05-22 12:06
    The maintainer of PHPWiki has also been warned about the issue in the FrameInclude plugin.
    User avatar
    Thomas Gerbet (tgerbet)2017-05-20 23:59
    Reopening, FrameInclude plugin has the exact same issue. Fix under review at gerrit #8453.
    • Summary
      -XSS through the Transclude plugin of PHPWiki 
      +XSS through the Transclude or FrameInclude plugin of PHPWiki 
    • Status changed from Closed to Reopen
    • Close date cleared
    User avatar
    Thomas Gerbet (tgerbet)2017-05-18 14:50
    Marc-Etienne Vargenau has acknowledged the initial contact, full vulnerability details has been transmitted.
    User avatar
    Thomas Gerbet (tgerbet)2017-05-17 15:04
    For information, the vulnerability is also present upstream. No way to report security issues is given on the Sourceforge project pages [1], I have tried to reach out directly to Marc-Etienne Vargenau which seem to be the last active maintainer. Waiting for a response.



    [1] https://sourceforge.net/projects/phpwiki/