GLSA-200704-08 : DokuWiki: XSS vulnerability
Medium Nessus Plugin ID 25053
SynopsisThe remote Gentoo host is missing one or more security-related patches.
DescriptionThe remote host is affected by the vulnerability described in GLSA-200704-08 (DokuWiki: XSS vulnerability)
DokuWiki does not sanitize user input to the GET variable 'media' in the fetch.php file.
An attacker could entice a user to click a specially crafted link and inject CRLF characters into the variable. This would allow the creation of new lines or fields in the returned HTTP Response header, which would permit the attacker to execute arbitrary scripts in the context of the user's browser.
SolutionAll DokuWiki users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=www-apps/dokuwiki-20061106'