Re: [Full-disclosure] XSS Vulnerabilities in LabWiki

[Henri Salo <henri () nerv fi>]

On Wed, Aug 22, 2012 at 12:32:29PM +0300, Netsparker Advisories wrote:
> Information
> --------------------
> Name :  XSS Vulnerabilities in LabWiki
> Software :  LabWiki 1.5 and possibly below.
> Vendor Homepage :  http://www.bioinformatics.org/phplabware/labwiki/index.php
> Vulnerability Type :  Cross-Site Scripting
> Severity :  Critical
> Researcher :  Canberk Bolat
> Advisory Reference :  NS-12-008
>
> Description
> --------------------
> This wiki is powered by Qwiki Wiki, a minimalist PHP wiki engine
> originally developed by David Barrett, that uses plain text files to
> store data. The 'engine' is used to edit the data as well as to format
> it and present it as a web page. Significant modifications were done
> to the codes of this wiki for bugs and enhancements (XHTML compliance,
> UTF-8 encoding, backup maintainance, page deletion, etc.) by Santosh
> Patnaik (SP) who also largely seeded the wiki with new and old
> (non-wiki) documents.
>
> Details
> --------------------
> LabWiki is affected by XSS vulnerabilities in version 1.5. Example PoC
> urls are as follows :
>
> http://example.com/recentchanges.php?page_no='"--></style></script><script>alert(0x00039E)</script>&nothing=nothing
> http://example.com/index.php?page=What_is_wiki&from='"--></style></script><script>alert(0x0001C7)</script>
>
> You can read the full article about Cross-Site Scripting vulnerability
> from here :
>
> Cross-site Scripting: http://www.mavitunasecurity.com/crosssite-scripting-xss/
>
> Solution
> --------------------
> No patch released.
>
> Advisory Timeline
> --------------------
> 15/11/2011 - First contact: No response
> 01/01/2012 - Second contact: No response
> 22/08/2012 - Advisory Released
>
> Credits
> --------------------
> It has been discovered on testing of Netsparker, Web Application
> Security Scanner - http://www.mavitunasecurity.com/netsparker/.
>
> References
> --------------------
> MSL Advisory Link :
> http://www.mavitunasecurity.com/xss-vulnerabilities-in-labwiki/
> Netsparker Advisories : http://www.mavitunasecurity.com/netsparker-advisories/
>
> About Netsparker
> --------------------
> Netsparker® can find and report security issues such as SQL Injection
> and Cross-site Scripting (XSS) in all web applications regardless of
> the platform and the technology they are built on. Netsparker's unique
> detection and exploitation techniques allows it to be dead accurate in
> reporting hence it's the first and the only False Positive Free web
> application security scanner.
>
> -- 
> Netsparker Advisories, <advisories () mavitunasecurity com>
> Homepage, http://www.mavitunasecurity.com/netsparker-advisories/

This looks a lot like what muuratsalo has discovered some time ago: http://osvdb.org/show/osvdb/76934 (there is more 
similar issues in OSVDB if you use advanced search). If I remember correctly from muuratsalo's emails he did get 
contact to vendor, but vendor did not fix all issues and wasn't co-operative in discussion.

Do you think NS-12-007 and NS-12-008 are new issues? If so we should request CVE-identifiers if these differ a lot of 
other XSS-issues. At the point where vendor does not fix issues like these nor reply I would say that people shouldn't 
be using the software at all.

- Henri Salo