Respected Sir, Your website "" is vulnerable to XSS Attack.

Vulnerable Links:

How To Reproduce The Vulnerability :

  1. Go to this link :
  2. refresh the page and intercept the http request using "brup suite" then at parameter "openid_identifier=" put xss payload
  3. forward the request

XSS Payload :

  1. "></script><script>prompt(909043)</script>
  2. "></script><script>prompt("XSS Alert...!!! : Hacked By Raghav Bisht")</script>
  3. "></script><script>prompt(document.cookie)</script>

NOTE : Proof of concept is attached.

Thank You...!!

Your Faithfully, Raghav Bisht

Thanks Raghav for reporting this issue. I've fixed it in ikiwiki.


Fix released as ?version 3.20150329.

Please try to report security vulnerabilities in private first, to give maintainers a chance to fix them without making it easier for attackers to exploit the newly discovered vulnerability until the maintainer can respond ("responsible disclosure"). In this particular case, I was away from my computer for a few days and was unable to make a release until I got back. --smcv

Are versions 3.20120629 or 3.20130904.1~bpo70+1 vulnerable? (wheezy and wheezy-backports, respectively) — Jon

3.20120629 is vulnerable; fixed in 3.20120629.2, which is in the proposed-updates queue (the security team declined to issue a DSA). The blogspam plugin doesn't work in wheezy either; again, a fix is in the proposed-updates queue.

3.20130904.1~bpo70+1 is almost certainly vulnerable, it looks as though someone has done a drive-by backport but not kept it updated. None of ikiwiki's Debian maintainers are involved in that backport; the .deb from jessie (or even from experimental) works fine on wheezy without recompilation. I use the latest upstream release from experimental on my otherwise-Debian-7 server. --smcv