 |
|
You are here: Foswiki>Support Web>KnownIssuesOfFoswiki01x01>SecurityAlerts>SecurityAlert-XSSIssues-2017-0501 (08 Mar 2023, MichaelDaum)Edit Attach
plain text
Security Alert: Multiple vulnerabilities addressed in Foswiki-2.1.4.
Get Alerted: to get immediate alerts of high priority security issues, please join the low-volume foswiki-announce list - details at MailingLists - Foswikitask:Item14381 mod_perl unexpectedly decodes the URI, and X-FoswikiURI header should be debug only.
- Foswikitask:Item14377 Error message from rest script requires some encoding.
- Foswikitask:Item14346 Systemd service file example runs foswiki as root.
Severity Level
Severity 3 issue: Foswiki content or browser is compromised The severity level was assigned by the Foswiki SecurityTaskTeam as documented in SecurityAlertProcessVulnerable Software Versions
- Foswiki 1.0.0, Foswiki 1.0.0-beta1, Foswiki 1.0.0-beta2, Foswiki 1.0.0-beta3, Foswiki 1.0.1, Foswiki 1.0.2, Foswiki 1.0.3, Foswiki 1.0.4, Foswiki 1.0.5, Foswiki 1.0.6, Foswiki 1.0.7, Foswiki 1.0.8, Foswiki 1.0.9, Foswiki 1.0.9-rc1, Foswiki 1.0.9-RC2, Foswiki 1.0.10, Foswiki 1.0.10-rc1, Foswiki 1.1.0, Foswiki 1.1.0-beta1, Foswiki 1.1.0-RC1, Foswiki 1.1.1, Foswiki 1.1.2, Foswiki 1.1.3, Foswiki 1.1.3-RC1, Foswiki 1.1.4, Foswiki 1.1.4-RC2, Foswiki 1.1.5, Foswiki 1.1.6, Foswiki 1.1.7, Foswiki 1.1.8, Foswiki 1.1.9, Foswiki 1.1.10, Foswiki 1.1.10-RC1, Foswiki 1.2.0_Beta_1, Foswiki 1.2.0_Beta_2, Foswiki 2.0.0, Foswiki 2.0.0-RC1, Foswiki 2.0.0-RC2, Foswiki 2.0.1, Foswiki 2.0.2, Foswiki 2.0.3, Foswiki 2.1.0, Foswiki 2.1.0-Beta1, Foswiki 2.1.1, Foswiki 2.1.1-RC1, Foswiki 2.1.1-RC2, Foswiki 2.1.2, Foswiki 2.1.3, Foswiki 2.1.3-Beta1, Foswiki 2.1.3-Beta2, Foswiki 2.1.3-RC1
Impact
None of these issues are believed to result in compromise of the web server or of Foswiki data.Details
Details are available in the individual linked tasks. These will be available for viewing following the general release of Foswiki 2.1.4.Countermeasures
Good browser practices can now prevent most XSS injection attacks. We also recommend use of the appropriate Security headers. These can be set in the web server configuration.Authors and Credits
Thanks to Tim Coen of Curesec GmbH for finding and reporting the XSS issues. And thanks to Maxime Besson who reported the issue with the systemd files.Hotfix for Foswiki Production Release
No hotfixes are available for these vulnerabilities. Upgrade to Foswiki-2.1.4Edit | Attach | Print version | History: r4 < r3 < r2 < r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r4 - 08 Mar 2023, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy