Trac Unspecified Wiki Engine Cross-Site Scripting Vulnerability

Bugtraq ID:	30400
Class:	Input Validation Error
CVE:	CVE-2008-3328
Remote:	Yes
Local:	No
Published:	Jul 28 2008 12:00AM
Updated:	May 07 2015 05:04PM
Credit:	Nathan Collins
Vulnerable:	Trac Trac 0.10.4 Trac Trac 0.10.3 Trac Trac 0.9.6 Trac Trac 0.9.5 Trac Trac 0.9.4 Nortel Networks VPN Router 1010 0.9.3
Not Vulnerable:	Trac Trac 0.10.5

Trac Unspecified Wiki Engine Cross-Site Scripting Vulnerability

Trac is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Versions prior to Trac 0.10.5 are vulnerable.

Trac Unspecified Wiki Engine Cross-Site Scripting Vulnerability

An attacker can exploit this issue by enticing an unsuspecting victim into following a malicious URI.

Trac Unspecified Wiki Engine Cross-Site Scripting Vulnerability

Solution:
The vendor has released Trac 0.10.5 to address this issue. Please see the references for more information.


Trac Trac 0.10.3

• Trac trac-0.10.5.tar.gz
  http://ftp.edgewall.com/pub/trac/trac-0.10.5.tar.gz

Trac Trac 0.10.4

• Trac trac-0.10.5.tar.gz
  http://ftp.edgewall.com/pub/trac/trac-0.10.5.tar.gz

Nortel Networks VPN Router 1010 0.9.3

• Trac trac-0.10.5.tar.gz
  http://ftp.edgewall.com/pub/trac/trac-0.10.5.tar.gz

Trac Trac 0.9.4

• Trac trac-0.10.5.tar.gz
  http://ftp.edgewall.com/pub/trac/trac-0.10.5.tar.gz

Trac Trac 0.9.5

• Trac trac-0.10.5.tar.gz
  http://ftp.edgewall.com/pub/trac/trac-0.10.5.tar.gz

Trac Trac 0.9.6

• Trac trac-0.10.5.tar.gz
  http://ftp.edgewall.com/pub/trac/trac-0.10.5.tar.gz

Trac Unspecified Wiki Engine Cross-Site Scripting Vulnerability

References:

• Trac Changelog (Trac)
  
• Trac Homepage (Trac)