{maketoc}
This page lists vulnerability reports – concerning the security of the Bitweaver application – posted on websites other than bitweaver.org, in order to address and to discuss outstanding issues, and to identify their current status.

During and after the installation of Bitweaver, a user chooses to activate a sub-set of all available packages, modules, features, input formats, etc. A report on a security issues might be based on an unattended install, before the __((Security|security recommendations))__ were considered. A site with different settings may not be affected. As an example, a site configured to restrict input of data to wiki syntax will not be affected by HTML vulnerabilities.

Identifying and discussing these reports is necessary, because they might have one or all of the following problems:
* the report is a clone of another report
* insufficient information is given to verify the report
* it is impossible to get the report updated to reflect the current status



! List of reports

{|
! Date !! Site !! Resource !! Status !! Notes
|-
|2006
|CVE
|[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3103
|CVE-2006-3103]
|
|only Bitweaver version 1.3 s affected - superseded by version 2
|-
|2007
|CVE
|[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6374
|CVE-2007-6374]
|
|((Vulnerability Report Status#ReportMultipleXSS|Multiple XSS Vulnerabilities))
|-
|2007
|CVE
|[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6375|CVE-2007-6375]
|
|((Security#SQLinjection|SQL Injection Vulnerabilities))
|-
|2007
|CVE
|[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6412|CVE-2007-6412]
|
|((Security#Codeinjectionintocontent|Code Injection into content))
|-
|2007-12-07
|HSC-Research
|[http://www.hackerscenter.com/index.php?/HSC-Research-Group/Advisories/HSC-Bitweaver-Cross-Site-Scripting-amp-SQL-Injection-Vulnerability.html|Was 28129]
|Fixed R2.1
|[http://www.bitweaver.org/blogs/content/12274|Bitweaver Cross-Site Scripting]
|-
|2007-12-09
|XForce
|[osvdb.org/39129|39129]
|Duplicate
|see HSC 7th Dec 2007
|-
|2007-12-09
|XForce
|[osvdb.org/39130|39130]
|Duplicate
|see HSC 7th Dec 2007
|-
|2007-12-09
|XForce
|[http://xforce.iss.net/xforce/xfdb/38943|38943]
|Fixed R2.1
|
|-
|2007-12-10
|Secunia
|[http://secunia.com/advisories/28024|28024]
|Duplicate
|Quoted original advisory no longer available - see HSC 7th Dec 2007
|-
|2007-12-10
|securityfocus
|[http://www.securityfocus.com/bid/26801|26801]
|Duplicate
|see HSC 7th Dec 2007
|-
|2007-12-09
|osvdb
|[http://www.securityfocus.com/bid/26801|26801]
|Duplicate
|see HSC 7th Dec 2007
|-
|2007-12-11
|securityreason
|[http://securityreason.com/securityalert/3428|3428]
|Duplicate
|see HSC 7th Dec 2007
|-
|2007-12-11
|Vupen
|[www.vupen.com/english/advisories/2007/4168|2007/4168]
|Duplicate
|see HSC 7th Dec 2007
|-
|2007-12-30
|AmnPardaz
|[http://www.milw0rm.com/exploits/4814|4814]
|
|Not sure file upload problem is valid?
|-
|2007-09-25
|Secunia
|[http://secunia.com/advisories/32014|32014]
|Fixed R2.1
|((Vulnerability Report Status#ReportMultipleXSS|Multiple XSS Vulnerabilities))
|-
|2007-09-25
|XForce
|[http://xforce.iss.net/xforce/xfdb/45409|45409]
|Fixed R2.1
|
|
|-
|2007-09-28
|securityfocus
|[http://www.securityfocus.com/bid/31395|31395]
|
|Nothing identified to test
|-
|2008
|CVE
|[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4337|CVE-2008-4337]
|Fixed R2.1
|((Vulnerability Report Status#ReportMultipleXSS|Multiple XSS Vulnerabilities))
|-
|2009-05-12
|Nine:Situations:Group
|[http://retrogod.altervista.org/|---]
|Partial fixes 2.6.1
|
|-
|2009-05-12
|Milworm
|[http://www.milw0rm.com/exploits/8659|8659]
|Partial fixes 2.6.1
|
|-
|2009-05-12
|VUPEN
|[http://www.vupen.com/english/advisories/2009/1285|2009/1285]
|Fixed 2.6.1
|
|-
|2009-05-13
|engineeringforfun
|[http://blog.engineeringforfun.com/bitweaver/bitweaver.html|bitweaver]
|Partial fixes 2.6.1
|Duplicated from
|}


! Report: Multiple XSS
The report named ''Multiple Cross-site Scripting Vulnerabilities'' has been duplicated across several sites, some of which do not list the concerned pages. The Secunia report has a list of pages that can be tested. In current versions of Bitweaver, __these security issues have been fixed.__ They are all now handled correctly. For the original report, see [http://secunia.com/advisories/32014|Secunia Advisory: SA32014]

To __test if an install is compromised by the exploit__, the string -+<script>alert('hi!');</script>+- can be used. Bitweaver version 2 and above prevent the creation of persistent XSS attacks, so the above script can not be stored within this page and will need to be added manually to the address bar of your browser. The string will be returned with the tag characters converted to %xx equivalents. Below is a list of PHP files of Bitweaver version 1.3 and below that are expected to be vulnerable to XSS-attacks. As the problem has been addressed within the ''core'' processing of Bitweaver, from version 2 on, these files ''and any other files, even if not listed here'', are now considered to be immune against this exploit.

* [http://www.bitweaver.org/articles/edit.php/|articles/edit.php]
* [http://www.bitweaver.org/articles/list.php/|articles/list.php]
* [http://www.bitweaver.org/blogs/list_blogs.php/|blogs/list_blogs.php]
* [http://www.bitweaver.org/blogs/rankings.php/|blogs/rankings.php]
* [http://www.bitweaver.org/calendar/index.php/|calendar/index.php]
* [http://www.bitweaver.org/events/calendar.php/|events/calendar.php]
* [http://www.bitweaver.org/events/index.php/|events/index.php]
* [http://www.bitweaver.org/events/list_events.php/|events/list_events.php]
* [http://www.bitweaver.org/fisheye/index.php/|fisheye/index.php]
* [http://www.bitweaver.org/fisheye/list_galleries.php/|fisheye/list_galleries.php]
* [http://www.bitweaver.org/liberty/list_content.php/|liberty/list_content.php]
* [http://www.bitweaver.org/newsletters/edition.php/|newsletters/edition.php]
* [http://www.bitweaver.org/pigeonholes/list.php/|pigeonholes/list.php]
* [http://www.bitweaver.org/recommends/index.php/|recommends/index.php]
* [http://www.bitweaver.org/rss/index.php/|rss/index.php]
* [http://www.bitweaver.org/stars/index.php/|stars/index.php]
* [http://www.bitweaver.org/users/remind_password.php/|users/remind_password.php]
* [http://www.bitweaver.org/wiki/orphan_pages.php/|wiki/orphan_pages.php]
* [http://www.bitweaver.org/stats/index.php/|stats/index.php]



! Further search results
[http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bitweaver|CVE] Listing 18 entries back to 2005, mainly XSS
[http://secunia.com/advisories/search/?search=bitweaver|Secunia] Listing 7 entries sub set of CVE
[http://webapp.iss.net/Search.do?keyword=bitweaver&searchType=keywd&start=0|XForce (IBM ISS)] Listing 19 entries - not spotted the extra one over CVE
Page History
Date/CommentUserIPVersion
17 May 2009 (01:51 UTC)
spiderr71.77.29.2316
Current • Source
Lester Caine81.138.11.1365
View • Compare • Difference • Source
Lester Caine81.138.11.1364
View • Compare • Difference • Source
laetzer141.20.150.433
View • Compare • Difference • Source
Lester Caine81.138.11.1362
View • Compare • Difference • Source