Post Wed Sep 11, 2013 3:57 pm

HTB23170: cross-site scripting (XSS) in WikkaWiki 1.3.4

Advisory ID: HTB23170
Product: WikkaWiki
Vendor: Wikka Development Team
Vulnerable Versions: 1.3.4 and probably prior
Tested Version: 1.3.4
Vendor Notification: August 21, 2013
Vendor Fix: August 31, 2013
Public Disclosure: September 11, 2013
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2013-5586
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab

Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in WikkaWiki, which can be exploited to perform Cross-Site Scripting (XSS) attacks against users of vulnerable application.

1) Cross-Site Scripting (XSS) in WikkaWiki: CVE-2013-5586
The vulnerability exists due to insufficient sanitisation of user-supplied data in "wakka" HTTP GET parameter passed to "/sql/" URL. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
The exploitation example below uses JavaScript "alert()" function to display user's cookies:
  Code:
http://[host]/sql/?wakka=sql&wakka=%22onmouseover=%22javascript:alert%28document.cookie%29;%22%3Elin k%3C/a%3E

Solution:
Update to Wikka 1.3.4-p1

More Information:
http://docs.wikkawiki.org/WhatsNew
https://wush.net/trac/wikka/ticket/1152

References:
[1] High-Tech Bridge Advisory HTB23170 - Cross-Site Scripting (XSS) in WikkaWiki.
[2] WikkaWiki - http://www.wikkawiki.org - WikkaWiki is a flexible, standards-compliant and lightweight wiki engine written in PHP, which uses MySQL to store pages.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.