skip to main content
10.1145/1822258.1822289acmotherconferencesArticle/Chapter ViewAbstractPublication PageswikisymConference Proceedingsconference-collections
research-article

Security of community developed and 3rd-party wiki plug-ins

Published: 08 September 2008 Publication History

Abstract

This paper discusses the significant security vulnerabilities that can occur in community developed wiki plug-ins and issues associated with managing the process of remediation. General guidance is given on how the vulnerabilities can be detected and rectified.
The basis for the paper is direct experience with a number of community developed plug-ins for DokuWiki, although the findings have also been transferred to other wikis such as MediaWiki. The findings are also transferable to other similar web server technologies - such as blogs - that support similar plug-in frameworks.

References

[1]
http://en.wikipedia.org/wiki/Cross-site_scripting.
[2]
http://en.wikipedia.org/wiki/Fuzzing.
[3]
Dokuwiki: Color plug-in. http://wiki.splitbrain.org/plugin:color.
[4]
Dokuwiki tutorial: Syntax plugins explained. http://wiki.splitbrain.org/wiki:plugins:syntax_tutorial.
[5]
Firefox add-on: Html validator. http://users.skynet.be/mgueury/mozilla/.
[6]
Firefox add-ons policy. https://addons.mozilla.org/en-US/firefox/pages/policy.
[7]
Geeklog furum plug-in xss. http://archives.neohapsis.com/archives/fulldisclosure/2003-q4/0376.html.
[8]
Iso/iec np 29147 responsible vulnerability disclosure. http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45170.
[9]
Java script. http://en.wikipedia.org/wiki/Java_script.
[10]
Mary ann davidson blog: The supply chain problem. http://blogs.oracle.com/maryanndavidson/2008/04/08.
[11]
Ncsa httpd: Log format. http://hoohoo.ncsa.uiuc.edu/docs/setup/httpd/LogOptions.html.
[12]
Owasp: Cross frame scripting. http://www.owasp.org/index.php/Cross_Frame_Scripting.
[13]
Php: Regular expression details. http://php.net/manual/en/regexp.reference.php.
[14]
Sans diary: The 10.000 web sites infection mystery solved. http://isc.sans.org/diary.html?storyid=4294.
[15]
Serendipity bbcode plug-in xss. http://www.s9y.org/63.html#A9.
[16]
W3c html v4.01 specification 18 scripts. http://www.w3.org/TR/html401/interact/scripts.html#events.
[17]
W3c html v4.01 specification b.2 special characters in uri attribute values. http://www.w3.org/TR/html401/appendix/notes.html#h-B.2.
[18]
V. Anupam and A. Mayer. Security of web browser scripting languages: vulnerabilities, attacks, and remedies. In SSYM'98: Proceedings of the 7th conference on USENIX Security Symposium, 1998, pages 15--15, Berkeley, CA, USA, 1998. USENIX Association.
[19]
K. Fogel. Producing Open Source Software: How to Run a Successful Free Software Project. O'Reilly Media, Inc., Sebastopol, CA 95472, 2005.
[20]
A. Klein. 'divide and conquer' http response splitting, web cache poisoning attacks, and related topics. March 2004.
[21]
D. Litchfield. Lateral sql injection: A new class of vulnerability in oracle. http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf.

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
WikiSym '08: Proceedings of the 4th International Symposium on Wikis
September 2008
219 pages
ISBN:9781605581286
DOI:10.1145/1822258
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

  • University of Porto

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 September 2008

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. cross site scripting
  2. plug-in
  3. responsible disclosure
  4. security

Qualifiers

  • Research-article

Conference

WikiSym08
Sponsor:
WikiSym08: 2008 International Symposium on Wikis
September 8 - 10, 2008
Porto, Portugal

Acceptance Rates

Overall Acceptance Rate 69 of 145 submissions, 48%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • 0
    Total Citations
  • 68
    Total Downloads
  • Downloads (Last 12 months)0
  • Downloads (Last 6 weeks)0
Reflects downloads up to 14 Feb 2025

Other Metrics

Citations

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media