Bug 736707 (CVE-2011-3352) - CVE-2011-3352 zikula (v1.3.x): XSS flaw due improper sanitization of 'themename' parameter by setting default, modifying and deleting themes
Summary: CVE-2011-3352 zikula (v1.3.x): XSS flaw due improper sanitization of 'themena...
Alias: CVE-2011-3352
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2011-09-08 13:13 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:47 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-09-08 13:23:28 UTC

Attachments (Terms of Use)

Description Jan Lieskovsky 2011-09-08 13:13:58 UTC
It was found that the Zikula web application framework did not properly sanitize the 'themename' parameter, while setting particular theme as a default one, modifying the theme or deleting it. A remote attacker, with Zikula administrator privilege, could use this flaw to execute arbitrary HTML or web script code in the context of the affected website.

[1] http://www.securityfocus.com/archive/1/519565/30/0/threaded
[2] https://www.htbridge.ch/advisory/xss_in_zikula.html

Relevant upstream patch:
[3] https://github.com/zikula/core/commit/c27dc3ddce8c9ff519ed57397e3bdf8f281aade6

Comment 1 Jan Lieskovsky 2011-09-08 13:20:55 UTC
Provided PoC (from [1], [2]):

http://host/index.php?module=theme&type=admin&func=setasdefault&themename=%3Cscript%3Ealert%28docu ment.cookie%29%3C/script%3E

CVE Request:
[4] http://www.openwall.com/lists/oss-security/2011/09/08/5

Comment 2 Jan Lieskovsky 2011-09-08 13:23:28 UTC
This issue did NOT affect the versions of the zikula package, as shipped with Fedora release of 14 and 15 (these versions do not contain the affected code in question yet).


This issue did NOT affect the versions of the zikula package, as present within EPEL-5 and EPEL-6 repositories (the zikula package versions there do not contain the vulnerable code in question yet).

Comment 3 Vincent Danen 2011-09-09 23:15:55 UTC
This issue was assigned the name CVE-2011-3352.

Comment 4 Jan Lieskovsky 2011-10-04 12:07:46 UTC
A potentially duplicate CVE identifier of CVE-2011-3979 has been also assigned to this issue. Checking with Mitre:
[5] http://www.openwall.com/lists/oss-security/2011/10/04/3

which CVE identifier is the proper one to be used to reference to this issue. Will update this bug later yet, if / once necessary.

Note You need to log in before you can comment on or make changes to this bug.