Bug 736707 (CVE-2011-3352)

Summary: CVE-2011-3352 zikula (v1.3.x): XSS flaw due improper sanitization of 'themename' parameter by setting default, modifying and deleting themes
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: david, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-08 13:23:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jan Lieskovsky 2011-09-08 13:13:58 UTC
It was found that the Zikula web application framework did not properly sanitize the 'themename' parameter, while setting particular theme as a default one, modifying the theme or deleting it. A remote attacker, with Zikula administrator privilege, could use this flaw to execute arbitrary HTML or web script code in the context of the affected website.

[1] http://www.securityfocus.com/archive/1/519565/30/0/threaded
[2] https://www.htbridge.ch/advisory/xss_in_zikula.html

Relevant upstream patch:
[3] https://github.com/zikula/core/commit/c27dc3ddce8c9ff519ed57397e3bdf8f281aade6

Comment 1 Jan Lieskovsky 2011-09-08 13:20:55 UTC
Provided PoC (from [1], [2]):

http://host/index.php?module=theme&type=admin&func=setasdefault&themename=%3Cscript%3Ealert%28docu ment.cookie%29%3C/script%3E

CVE Request:
[4] http://www.openwall.com/lists/oss-security/2011/09/08/5

Comment 2 Jan Lieskovsky 2011-09-08 13:23:28 UTC
This issue did NOT affect the versions of the zikula package, as shipped with Fedora release of 14 and 15 (these versions do not contain the affected code in question yet).


This issue did NOT affect the versions of the zikula package, as present within EPEL-5 and EPEL-6 repositories (the zikula package versions there do not contain the vulnerable code in question yet).

Comment 3 Vincent Danen 2011-09-09 23:15:55 UTC
This issue was assigned the name CVE-2011-3352.

Comment 4 Jan Lieskovsky 2011-10-04 12:07:46 UTC
A potentially duplicate CVE identifier of CVE-2011-3979 has been also assigned to this issue. Checking with Mitre:
[5] http://www.openwall.com/lists/oss-security/2011/10/04/3

which CVE identifier is the proper one to be used to reference to this issue. Will update this bug later yet, if / once necessary.