History of Vulnerability Report Status

Comparing versions
Version 2Current version
In order to address the number of outstanding vulnerability reports visible on the network, it is intended that this page will list identified reports, provide links to them, and identify their current status. In a large number of cases, the reports are simply clones of one another and in many cases there is insufficient information to verify them, but often it is impossible to get the report updated to reflect the current status.
Bitweaver has the interesting problem of being able to install a sub-set of available facilities, and select tools and formats to be used, so while some reports may well be valid on one site, other sites may not have the same packages enabled. Sites configured only to allow tikiwiki syntax will not be affected by html vulnerabilities for instance. The first stopping place for assessing security is Security and any recommendations for improving a sites security should be documented there.
Why we need quite so many duplicate copies of these reports seems somewhat of a last of time, and where reports from 2006 are STILL marked as 'under review', perhaps these sites need to cull material that they do not want to manage? I suspect that we need to identify two or three original report sites and simply track them. CVE and it's copy at NVD seem to be the most comprehensive listing.

DateSiteLink to ReportStatusNotes
Undated 2006CVECVE-2006-3103 Version 1.3 - superseded by Version 2
Undated 2007CVECVE-2007-6374 Multiple Cross-site Scripting Vulnerabilities
Undated 2007CVECVE-2007-6375 SQL Injection Vulnerabilities
Undated 2007CVECVE-2007-6412 Code Injection into content
7th Dec 2007HSC-ResearchWas 28129Fixed R2.1Bitweaver Cross-Site Scripting
9th Dec 2007XForce39129Duplicatesee HSC 7th Dec 2007
9th Dec 2007XForce39130Duplicatesee HSC 7th Dec 2007
9th Dec 2007XForce38943Fixed R2.1
10th Dec 2007Secunia28024DuplicateQuoted original advisory no longer available - see HSC 7th Dec 2007
10th Dec 2007securityfocus26801Duplicatesee HSC 7th Dec 2007
9th Dec 2007osvdb26801Duplicatesee HSC 7th Dec 2007
11th Dec 2007securityreason3428Duplicate see HSC 7th Dec 2007
11th Dec 2007Vupen2007/4168Duplicatesee HSC 7th Dec 2007
30th Dec 2007AmnPardaz4814 Not sure file upload problem is valid?
25th Sept 2008Secunia32014Fixed R2.1Multiple Cross-site Scripting Vulnerabilities
25th Sept 2008XForce45409Fixed R2.1
28th Sept 2008securityfocus31395 Nothing identified to test
Undated 2008CVECVE-2008-4337Fixed R2.1Multiple Cross-site Scripting Vulnerabilities


Outstanding search results
CVE Listing 18 entries back to 2005 - mainly XSS
Secunia Listing 7 entries sub set of CVE
XForce (IBM ISS) Listing 19 entries - not spotted the extra one over CVE
 
This page lists vulnerability reports – concerning the security of the Bitweaver application – posted on websites other than bitweaver.org, in order to address and to discuss outstanding issues, and to identify their current status.

During and after the installation of Bitweaver, a user chooses to activate a sub-set of all available packages, modules, features, input formats, etc. A report on a security issues might be based on an unattended install, before the security recommendations were considered. A site with different settings may not be affected. As an example, a site configured to restrict input of data to wiki syntax will not be affected by HTML vulnerabilities.

Identifying and discussing these reports is necessary, because they might have one or all of the following problems:
  • the report is a clone of another report
  • insufficient information is given to verify the report
  • it is impossible to get the report updated to reflect the current status

List of reports

Date Site Resource Status Notes
2006CVECVE-2006-3103only Bitweaver version 1.3 s affected - superseded by version 2
2007CVECVE-2007-6374Multiple XSS Vulnerabilities
2007CVECVE-2007-6375SQL Injection Vulnerabilities
2007CVECVE-2007-6412Code Injection into content
2007-12-07HSC-ResearchWas 28129Fixed R2.1Bitweaver Cross-Site Scripting
2007-12-09XForce39129Duplicatesee HSC 7th Dec 2007
2007-12-09XForce39130Duplicatesee HSC 7th Dec 2007
2007-12-09XForce38943Fixed R2.1
2007-12-10Secunia28024DuplicateQuoted original advisory no longer available - see HSC 7th Dec 2007
2007-12-10securityfocus26801Duplicatesee HSC 7th Dec 2007
2007-12-09osvdb26801Duplicatesee HSC 7th Dec 2007
2007-12-11securityreason3428Duplicatesee HSC 7th Dec 2007
2007-12-11Vupen2007/4168Duplicatesee HSC 7th Dec 2007
2007-12-30AmnPardaz4814Not sure file upload problem is valid?
2007-09-25Secunia32014Fixed R2.1Multiple XSS Vulnerabilities
2007-09-25XForce45409Fixed R2.1
2007-09-28securityfocus31395Nothing identified to test
2008CVECVE-2008-4337Fixed R2.1Multiple XSS Vulnerabilities
2009-05-12Nine:Situations:Groupbitweaver_260Partial fixes 2.6.1
2009-05-12Milworm8659Partial fixes 2.6.1
2009-05-12VUPEN2009/1285Fixed 2.6.1
2009-05-12Secunia35057Partial fixes 2.6.1
2009-05-13engineeringforfunbitweaverPartial fixes 2.6.1Duplicated from


Report: Multiple XSS

The report named Multiple Cross-site Scripting Vulnerabilities has been duplicated across several sites, some of which do not list the concerned pages. The Secunia report has a list of pages that can be tested. In current versions of Bitweaver, these security issues have been fixed. They are all now handled correctly. For the original report, see Secunia Advisory: SA32014

To test if an install is compromised by the exploit, the string 

<?php
<script>alert('hi!');</script>
?>
can be used. Bitweaver version 2 and above prevent the creation of persistent XSS attacks, so the above script can not be stored within this page and will need to be added manually to the address bar of your browser. The string will be returned with the tag characters converted to %xx equivalents. Below is a list of PHP files of Bitweaver version 1.3 and below that are expected to be vulnerable to XSS-attacks. As the problem has been addressed within the core processing of Bitweaver, from version 2 on, these files and any other files, even if not listed here, are now considered to be immune against this exploit.


Further search results

CVE Listing 18 entries back to 2005, mainly XSS
Secunia Listing 7 entries sub set of CVE
XForce (IBM ISS) Listing 19 entries - not spotted the extra one over CVE
Page History
Date/CommentUserIPVersion
17 May 2009 (01:51 UTC)
spiderr71.77.29.2316
Current • Source
Lester Caine81.138.11.1365
View • Compare • Difference • Source
Lester Caine81.138.11.1364
View • Compare • Difference • Source
laetzer141.20.150.433
View • Compare • Difference • Source
Lester Caine81.138.11.1362
View • Compare • Difference • Source