=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2011/VULN313
_____________________________________________________________________

DATE                      : 12/04/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running ikiwiki version prior to 3.20110328.

======================================================================
http://ikiwiki.info/security/#index39h2
______________________________________________________________________

possible javascript insertion via insufficient htmlscrubbing of alternate
stylesheets


Giuseppe Bilotta noticed that 'meta stylesheet` directives allowed anyone
who could upload a malicious stylesheet to a site to add it to a page as
an alternate stylesheet, or replacing the default stylesheet.


This hole was discovered on 28 Mar 2011 and fixed the same hour with the
release of ikiwiki 3.20110328. An upgrade is recommended for sites that
have untrusted committers, or have the attachments plugin enabled.
(CVE-2011-1401)


======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================