##############################################################################
#
# Title    : JAMWiki 'num' Parameter Cross Site Scripting Vulnerability
# Author   : Sooraj K.S SecPod Technologies (www.secpod.com)
# Vendor   : http://jamwiki.org/wiki/en/JAMWiki
# Advisory : http://secpod.org/blog/?p=493
#            http://secpod.org/advisories/SecPod_JamWiki_XSS_Vuln.txt
# Software : JAMWiki 1.1.4
# Date     : 30/03/2012
#
###############################################################################

SecPod ID: 1036                                 13/12/2011 Issue Discovered
                                                21/02/2012 Vendor Notified
                                                21/02/2012 Vendor Acknowledge
                                                13/03/2012 Issue Resolved

Class: Cross-Site Scripting                     Severity: Medium


Overview:
---------
JAMWiki is prone to cross-site scripting vulnerability.


Technical Description:
----------------------
JAMWiki: Java-based Wiki engine is prone to a cross-site scripting
vulnerability because it fails to properly sanitize user-supplied input.

Input passed via the 'num' parameter in Special:AllPages is not properly
verified before it is returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in the context of
a vulnerable site. This may allow the attacker to steal cookie-based
authentication credentials and to launch other attacks.

The vulnerability has been tested in JAMWiki 1.1.3 and 1.14. Other versions may
also be affected.


Impact:
--------
Successful exploitation allows an attacker to execute arbitrary HTML and script
code in a user's browser session in the context of a vulnerable site.


Affected Software:
------------------
JAMWiki 1.1.4 and prior.


Reference:
---------
http://secpod.org/blog/?p=493
http://jamwiki.org/wiki/en/JAMWiki
http://jira.jamwiki.org/browse/JAMWIKI-76
http://secpod.org/advisories/SecPod_JamWiki_XSS_Vuln.txt


Proof of Concept:
-----------------
http://www.example.com/jamwiki/en/Special:AllPages?num="<script>alert(document.cookie)</script>


Solution:
----------
Upgrade to JAMWiki 1.1.6


Risk Factor:
-------------
    CVSS Score Report: 
        ACCESS_VECTOR          = NETWORK 
        ACCESS_COMPLEXITY      = MEDIUM 
        AUTHENTICATION         = NOT_REQUIRED 
        CONFIDENTIALITY_IMPACT = NONE 
        INTEGRITY_IMPACT       = PARTIAL 
        AVAILABILITY_IMPACT    = NONE 
        EXPLOITABILITY         = PROOF_OF_CONCEPT 
        REMEDIATION_LEVEL      = OFFICIAL_FIX 
        REPORT_CONFIDENCE      = CONFIRMED 
        CVSS Base Score        = 4.3 (AV:N/AC:M/Au:NR/C:N/I:P/A:N)
        Risk factor            = Medium 


Credits:
--------
Sooraj K.S of SecPod Technologies has been credited with the discovery of this
vulnerability.