This page lists vulnerability reports – concerning the security of the Bitweaver application – posted on websites other than bitweaver.org, in order to address and to discuss outstanding issues, and to identify their current status.

During and after the installation of Bitweaver, a user chooses to activate a sub-set of all available packages, modules, features, input formats, etc. A report on a security issues might be based on an unattended install, before the security recommendations were considered. A site with different settings may not be affected. As an example, a site configured to restrict input of data to wiki syntax will not be affected by HTML vulnerabilities.

Identifying and discussing these reports is necessary, because they might have one or all of the following problems:

• the report is a clone of another report
• insufficient information is given to verify the report
• it is impossible to get the report updated to reflect the current status

List of reports

Date	Site	Resource	Status	Notes
2006	CVE	CVE-2006-3103		only Bitweaver version 1.3 s affected - superseded by version 2
2007	CVE	CVE-2007-6374		Multiple XSS Vulnerabilities
2007	CVE	CVE-2007-6375		SQL Injection Vulnerabilities
2007	CVE	CVE-2007-6412		Code Injection into content
2007-12-07	HSC-Research	Was 28129	Fixed R2.1	Bitweaver Cross-Site Scripting
2007-12-09	XForce	39129	Duplicate	see HSC 7th Dec 2007
2007-12-09	XForce	39130	Duplicate	see HSC 7th Dec 2007
2007-12-09	XForce	38943	Fixed R2.1
2007-12-10	Secunia	28024	Duplicate	Quoted original advisory no longer available - see HSC 7th Dec 2007
2007-12-10	securityfocus	26801	Duplicate	see HSC 7th Dec 2007
2007-12-09	osvdb	26801	Duplicate	see HSC 7th Dec 2007
2007-12-11	securityreason	3428	Duplicate	see HSC 7th Dec 2007
2007-12-11	Vupen	2007/4168	Duplicate	see HSC 7th Dec 2007
2007-12-30	AmnPardaz	4814		Not sure file upload problem is valid?
2007-09-25	Secunia	32014	Fixed R2.1	Multiple XSS Vulnerabilities
2007-09-25	XForce	45409	Fixed R2.1
2007-09-28	securityfocus	31395		Nothing identified to test
2008	CVE	CVE-2008-4337	Fixed R2.1	Multiple XSS Vulnerabilities
2009-05-12	Nine:Situations:Group	bitweaver_260	Partial fixes 2.6.1
2009-05-12	Milworm	8659	Partial fixes 2.6.1
2009-05-12	VUPEN	2009/1285	Fixed 2.6.1
2009-05-12	Secunia	35057	Partial fixes 2.6.1
2009-05-13	engineeringforfun	bitweaver	Partial fixes 2.6.1	Duplicated from

Report: Multiple XSS

The report named Multiple Cross-site Scripting Vulnerabilities has been duplicated across several sites, some of which do not list the concerned pages. The Secunia report has a list of pages that can be tested. In current versions of Bitweaver, these security issues have been fixed. They are all now handled correctly. For the original report, see Secunia Advisory: SA32014

To test if an install is compromised by the exploit, the string can be used. Bitweaver version 2 and above prevent the creation of persistent XSS attacks, so the above script can not be stored within this page and will need to be added manually to the address bar of your browser. The string will be returned with the tag characters converted to %xx equivalents. Below is a list of PHP files of Bitweaver version 1.3 and below that are expected to be vulnerable to XSS-attacks. As the problem has been addressed within the core processing of Bitweaver, from version 2 on, these files and any other files, even if not listed here, are now considered to be immune against this exploit.

• articles/edit.php
• articles/list.php
• blogs/list_blogs.php
• blogs/rankings.php
• calendar/index.php
• events/calendar.php
• events/index.php
• events/list_events.php
• fisheye/index.php
• fisheye/list_galleries.php
• liberty/list_content.php
• newsletters/edition.php
• pigeonholes/list.php
• recommends/index.php
• rss/index.php
• stars/index.php
• users/remind_password.php
• wiki/orphan_pages.php
• stats/index.php

Further search results

CVE Listing 18 entries back to 2005, mainly XSS
Secunia Listing 7 entries sub set of CVE
XForce (IBM ISS) Listing 19 entries - not spotted the extra one over CVE