BID:51173

PukiWiki Plus! Cross Site Scripting Vulnerability

Info

PukiWiki Plus! Cross Site Scripting Vulnerability

Bugtraq ID:	51173
Class:	Input Validation Error
CVE:	CVE-2011-3990
Remote:	Yes
Local:	No
Published:	Dec 22 2011 12:00AM
Updated:	Dec 22 2011 12:00AM
Credit:	Koki Nakayasu of Keiji Takeda Lab, Keio University
Vulnerable:	PukiWiki Plus! PukiWiki Plus! 1.4.7plus-u2-i18n

Not Vulnerable:

Discussion

PukiWiki Plus! Cross Site Scripting Vulnerability

PukiWiki Plus! is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

PukiWiki Plus! 1.4.7plus-u2-i18n and prior versions are vulnerable.

Exploit / POC

PukiWiki Plus! Cross Site Scripting Vulnerability

To exploit the issue, an attacker must entice an unsuspecting victim to follow a malicious URI.

Solution / Fix

PukiWiki Plus! Cross Site Scripting Vulnerability

Solution:
Updates are available. Please see the references for more details.

References

PukiWiki Plus! Cross Site Scripting Vulnerability

References:

PukiWiki Plus! Downloadpage (PukiWiki Plus!)
PukiWiki Plus! vulnerable to cross-site scripting (JPCERT/CC and IPA)