Info

Disclosure

Jul 12, 2004

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Hiki contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'page name' from the 'attach' plug-in. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Rumored / Private
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 0.6.5, 0.7.0-devel-20040626 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Hiki Development Team	Hiki	0.6.3
		0.6.4
		0.7-devel-20040407
		0.7-devel-20040618

References

Related OSVDB ID: 19332 19333 19334 19336 19337 19338 19339 19340 19341
Vendor URL: http://hikiwiki.org/
Vendor Specific Advisory URL: http://hikiwiki.org/en/advisory20040712.html

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Hiki Development Team

Hiki

References

Credit