Kiwix Server 'pattern' Parameter Cross-Site Scripting Vulnerability Network Vulnerability

Summary

The host is installed with Kiwix and is prone to xss vulnerability.

Impact

Successful exploitation will allow remote attackers to execute arbitrary HTML and script code in a users browser session in the context of an affected site. Impact Level: Application

Solution

Apply the patch manually from the given link, http://sourceforge.net/p/kiwix/kiwix/ci/d1af5f0375c6db24d4071acf4806735725fd206e

Insight

Input passed via the 'pattern' parameter to '/search' is not properly sanitised before being returned to the user.

Affected

Kiwix version 0.9 and prior.

Detection

Send a crafted data via HTTP GET request and check whether it is able to read cookie or not.

References

http://osvdb.org/117199
http://packetstormsecurity.com/files/130007
http://sourceforge.net/p/kiwix/bugs/763
http://sourceforge.net/p/kiwix/kiwix/ci/d1af5f0375c6db24d4071acf4806735725fd206e
http://www.securityfocus.com/archive/1/archive/1/534502/100/0/threaded

Updated on 2015-03-25

Severity

Classification

CVE CVE-2015-1032

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Adobe ColdFusion Multiple Path Disclosure Vulnerabilities
Apache Tomcat HTTP BIO Connector Information Disclosure Vulnerability
Adobe ColdFusion Multiple Vulnerabilities-03 May-2014
Apache Tomcat Login Constraints Security Bypass Vulnerability
Apache CouchDB Cross Site Request Forgery Vulnerability

Take action and discover your vulnerabilities