'[oss-security] [Notification] CVE-2013-6047: ikiwiki-hosting: XSS in site creation interface'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [Notification] CVE-2013-6047: ikiwiki-hosting: XSS in site creation interface
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2013-10-25 23:17:04
Message-ID: 20131025231704.GA29781 () eldamar ! local
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


Hi

This is a notification for the following assigned CVE:

CVE-2013-6047: ikiwiki-hosting: XSS in site creation.

The XSS only affects ikiwiki-hosting installations
that have a controlsite set up with the makesite plugin enabled. This
vulnerability was found by Gopal Bisht.

XSS fixed in ikiwiki-hosting 0.20131025[1].

 [1] http://packages.qa.debian.org/i/ikiwiki-hosting/news/20131025T224825Z.html

Upstream commits can be found in the upstream git repository:

git://ikiwiki-hosting.branchable.com/

in commits 83b221799e409b407c60fd246fd883d068775016 and
060f1b7728a0983cc010eacebdb94f0a440d98f1.

(attached for this notification).

Regards,
Salvatore

["0001-Fix-XSS-in-site-creation-interface.-Thanks-Gopal-Bis.patch" (text/x-diff)]

From 83b221799e409b407c60fd246fd883d068775016 Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@kitenet.net>
Date: Fri, 25 Oct 2013 17:55:39 -0400
Subject: [PATCH 1/2] Fix XSS in site creation interface. Thanks, Gopal Bisht.

---
 debian/changelog        |  1 +
 templates/makesite.tmpl | 16 ++++++++--------
 templates/setupdns.tmpl | 10 +++++-----
 3 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index d58ec61..550ecfb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
 ikiwiki-hosting (0.20130927) UNRELEASED; urgency=low
 
   * Exclude the site from showing up as a referrer in the analog report.
+  * Fix XSS in site creation interface. Thanks, Gopal Bisht.
 
  -- Joey Hess <joeyh@debian.org>  Sun, 08 Sep 2013 18:45:29 -0400
 
diff --git a/templates/makesite.tmpl b/templates/makesite.tmpl
index 02758de..2559caa 100644
--- a/templates/makesite.tmpl
+++ b/templates/makesite.tmpl
@@ -8,10 +8,10 @@
 <input type="hidden" name="type" value="<TMPL_VAR TYPE>" />
 <input type="hidden" name="hostname" value="<TMPL_VAR HOSTNAME>" />
 <input type="hidden" name="domain" value="<TMPL_VAR DOMAIN>" />
-<input type="hidden" name="internal_hostname" value="<TMPL_VAR INTERNAL_HOSTNAME>" />
+<input type="hidden" name="internal_hostname" value="<TMPL_VAR INTERNAL_HOSTNAME ESCAPE=HTML>" \
/>  
 <div class="notice">
-Your site <TMPL_IF EXTERNAL_HOSTNAME><TMPL_VAR EXTERNAL_HOSTNAME><TMPL_ELSE><TMPL_VAR \
INTERNAL_HOSTNAME></TMPL_IF> +Your site <TMPL_IF EXTERNAL_HOSTNAME><TMPL_VAR EXTERNAL_HOSTNAME \
ESCAPE=HTML><TMPL_ELSE><TMPL_VAR INTERNAL_HOSTNAME ESCAPE=HTML></TMPL_IF>  <TMPL_IF READY>
 has been created.
 <TMPL_ELSE>
@@ -63,18 +63,18 @@ I agree to the <a href="/terms/">Terms of Service</a>.</label>
 <h1>Domain</h1>
 <p>
 <TMPL_IF DNS_NEEDED>
-To make your site be available at <TMPL_VAR EXTERNAL_HOSTNAME>,
+To make your site be available at <TMPL_VAR EXTERNAL_HOSTNAME ESCAPE=HTML>,
 you need to purchase that domain name. I can't do that for
 you, but you can buy the domain at sites like
 <a href="http://godaddy.com/">GoDaddy</a> or
 <a href="http://gandi.net/">Gandi</a>.
 When you buy the domain, configure it to point to
-<TMPL_VAR INTERNAL_HOSTNAME>.
+<TMPL_VAR INTERNAL_HOSTNAME ESCAPE=HTML>.
 </TMPL_IF>
 <TMPL_IF DNS_WRONG>
-Looks like <TMPL_VAR EXTERNAL_HOSTNAME> already exists. If you own
+Looks like <TMPL_VAR EXTERNAL_HOSTNAME ESCAPE=HTML> already exists. If you own
 that domain, you need to visit your DNS Registrar, and configure
-the domain so it points to <TMPL_VAR INTERNAL_HOSTNAME>.
+the domain so it points to <TMPL_VAR INTERNAL_HOSTNAME ESCAPE=HTML>.
 </TMPL_IF>
 </p>
 <p>
@@ -82,12 +82,12 @@ the domain so it points to <TMPL_VAR INTERNAL_HOSTNAME>.
 <TMPL_IF DNS_WRONG>
 <TMPL_IF RETRIED>
 <span class="error">&nbsp;&nbsp;Sorry, the DNS for
-<TMPL_VAR EXTERNAL_HOSTNAME> is still not right ...</span>
+<TMPL_VAR EXTERNAL_HOSTNAME ESCAPE=HTML> is still not right ...</span>
 </TMPL_IF>
 </TMPL_IF>
 </p>
 <p>
-Or, you can postpone using the <TMPL_VAR EXTERNAL_HOSTNAME> domain,
+Or, you can postpone using the <TMPL_VAR EXTERNAL_HOSTNAME ESCAPE=HTML> domain,
 and set it up later, after you've used your site for a while.
 </p>
 <p>
diff --git a/templates/setupdns.tmpl b/templates/setupdns.tmpl
index e359afa..b614bdf 100644
--- a/templates/setupdns.tmpl
+++ b/templates/setupdns.tmpl
@@ -15,20 +15,20 @@ Here you can configure the domain names used for this site.
 </p>
 <TMPL_IF DNS_NEEDED>
 <p>
-To make your site be available at <TMPL_VAR EXTERNAL_HOSTNAME>,
+To make your site be available at <TMPL_VAR EXTERNAL_HOSTNAME ESCAPE=HTML>,
 you need to purchase that domain name. I can't do that for
 you, but you can buy the domain at sites like
 <a href="http://godaddy.com/">GoDaddy</a> or
 <a href="http://gandi.net/">Gandi</a>.
 When you buy the domain, configure it to point to
-<TMPL_VAR INTERNAL_HOSTNAME>.
+<TMPL_VAR INTERNAL_HOSTNAME ESCAPE=HTML>.
 </p>
 </TMPL_IF>
 <TMPL_IF DNS_WRONG>
 <p>
-To make your site be available at <TMPL_VAR EXTERNAL_HOSTNAME>,
+To make your site be available at <TMPL_VAR EXTERNAL_HOSTNAME ESCAPE=HTML>,
 you need to visit your DNS Registrar and configure the domain
-to point to <TMPL_VAR INTERNAL_HOSTNAME>.
+to point to <TMPL_VAR INTERNAL_HOSTNAME ESCAPE=HTML>.
 </p>
 </TMPL_IF>
 </TMPL_IF>
@@ -39,7 +39,7 @@ DNS successfully configured.
 </TMPL_IF>
 
 <label for="dns_external">Main domain:</label><br />
-<input id="dns_external" name="external" size="60" value="<TMPL_VAR EXTERNAL_HOSTNAME>" /><br \
/> +<input id="dns_external" name="external" size="60" value="<TMPL_VAR EXTERNAL_HOSTNAME \
ESCAPE=HTML>" /><br />  <label for="dns_alias">Other domains:</label><br />
 <textarea id="dns_alias" name="alias" cols="60" rows="5"><TMPL_VAR ALIAS></textarea><br />
 <input type="submit" name="submit" value="Apply" />
-- 
1.8.4.rc3


["0002-also-need-to-escape-the-HOSTNAME.patch" (text/x-diff)]

From 060f1b7728a0983cc010eacebdb94f0a440d98f1 Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@kitenet.net>
Date: Fri, 25 Oct 2013 18:12:14 -0400
Subject: [PATCH 2/2] also need to escape the HOSTNAME

Also escaped the domain for good measure.
---
 templates/branchable.tmpl   | 6 +++---
 templates/controlpanel.tmpl | 4 ++--
 templates/makesite.tmpl     | 4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/templates/branchable.tmpl b/templates/branchable.tmpl
index 22dc2a3..55bd781 100644
--- a/templates/branchable.tmpl
+++ b/templates/branchable.tmpl
@@ -17,7 +17,7 @@ but will be subject to verification.
 <p>
 Users with <a href="/ikiwiki.cgi?do=setupsshkeys">configured ssh keys</a> can modify the git repository:
 <pre>
-git clone <TMPL_VAR GITSSHURL> <TMPL_VAR HOSTNAME>
+git clone <TMPL_VAR GITSSHURL> <TMPL_VAR HOSTNAME ESCAPE=HTML>
 </pre>
 </p>
 
@@ -37,8 +37,8 @@ then change it as desired.
 <p>
 <form action="<TMPL_VAR CONTROLSITECGIURL>">
 <input type="hidden" name="do" value="branchsite" />
-<input type="hidden" name="branchof" value="<TMPL_VAR HOSTNAME>" />
-I want a branch of <TMPL_VAR HOSTNAME> named
+<input type="hidden" name="branchof" value="<TMPL_VAR HOSTNAME ESCAPE=HTML>" />
+I want a branch of <TMPL_VAR HOSTNAME ESCAPE=HTML> named
 <input name="hostname" size="40" placeholder="example.com" />
 <input type="hidden" name="domain" value="ikiwiki.info" />
 <input type="submit" name="submit" value="Create it now!" />
diff --git a/templates/controlpanel.tmpl b/templates/controlpanel.tmpl
index 2e5f078..f227d2b 100644
--- a/templates/controlpanel.tmpl
+++ b/templates/controlpanel.tmpl
@@ -100,10 +100,10 @@ Balance: $<TMPL_VAR BALANCE>
 </td>
 <td class="siteinfo">
 <div class="sitename">
-<a href="<TMPL_VAR SITE_URL>"><TMPL_VAR SITE_WIKINAME></a>
+<a href="<TMPL_VAR SITE_URL>"><TMPL_VAR SITE_WIKINAME ESCAPE=HTML></a>
 </div>
 <div class="sitedomain">
-<a href="<TMPL_VAR SITE_URL>"><TMPL_VAR SITE_DOMAIN></a>
+<a href="<TMPL_VAR SITE_URL>"><TMPL_VAR SITE_DOMAIN ESCAPE=HTML></a>
 </div>
 <div class="sitehistory">
 <TMPL_IF SITE_PARENT>Branched<TMPL_ELSE>Created</TMPL_IF>
diff --git a/templates/makesite.tmpl b/templates/makesite.tmpl
index 2559caa..74337b4 100644
--- a/templates/makesite.tmpl
+++ b/templates/makesite.tmpl
@@ -6,8 +6,8 @@
 <input type="hidden" name="ready" value="<TMPL_VAR READY>" />
 <input type="hidden" name="retry" value="1" />
 <input type="hidden" name="type" value="<TMPL_VAR TYPE>" />
-<input type="hidden" name="hostname" value="<TMPL_VAR HOSTNAME>" />
-<input type="hidden" name="domain" value="<TMPL_VAR DOMAIN>" />
+<input type="hidden" name="hostname" value="<TMPL_VAR HOSTNAME ESCAPE=HTML>" />
+<input type="hidden" name="domain" value="<TMPL_VAR DOMAIN ESCAPE=HTML>" />
 <input type="hidden" name="internal_hostname" value="<TMPL_VAR INTERNAL_HOSTNAME ESCAPE=HTML>" />
 
 <div class="notice">
-- 
1.8.4.rc3


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic