Respected Sir, Your website "webconverger.org" is vulnerable to XSS Attack.

Vulnerable Links: webconverger.org/ikiwiki.cgi?action=verify&do=signin&openid_identifier=1

How To Reproduce The Vulnerability :

  1. Go to this link : webconverger.org/ikiwiki.cgi?action=verify&do=signin&openid_identifier=1
  2. refresh the page and intercept the http request using "brup suite" then at parameter "openid_identifier=" put xss payload
  3. forward the request

XSS Payload :

  1. "></script><script>prompt(909043)</script>
  2. "></script><script>prompt("XSS Alert...!!! : Hacked By Raghav Bisht")</script>
  3. "></script><script>prompt(document.cookie)</script>

NOTE : Proof of concept is attached.

Thank You...!!

Your Faithfully, Raghav Bisht raghav007bisht@gmail.com

Thanks Raghav for reporting this issue. I've fixed it in ikiwiki.

--Joey

Fix released as ?version 3.20150329.

Please try to report security vulnerabilities in private first, to give maintainers a chance to fix them without making it easier for attackers to exploit the newly discovered vulnerability until the maintainer can respond ("responsible disclosure"). In this particular case, I was away from my computer for a few days and was unable to make a release until I got back. --smcv

Are versions 3.20120629 or 3.20130904.1~bpo70+1 vulnerable? (wheezy and wheezy-backports, respectively) — Jon

3.20120629 is vulnerable; fixed in 3.20120629.2, which is in the proposed-updates queue (the security team declined to issue a DSA). The blogspam plugin doesn't work in wheezy either; again, a fix is in the proposed-updates queue.

3.20130904.1~bpo70+1 is almost certainly vulnerable, it looks as though someone has done a drive-by backport but not kept it updated. None of ikiwiki's Debian maintainers are involved in that backport; the .deb from jessie (or even from experimental) works fine on wheezy without recompilation. I use the latest upstream release from experimental on my otherwise-Debian-7 server. --smcv