Two days ago I was playing with ikiwiki’s login methods and its templates. After that came the turn of the comments plugin and its input fields. Almost accidentaly, I discovered that the contents of comment’s author input field weren’t correctly sanitized, having as a consequence a stored XSS.

I spent the rest of that day trying to figure out where the bug was. A couple of details slowed my search down for hours:

  • I didn’t know how ikiwiki’s code was structured
  • I dislike perl’s syntax

It was 3 AM when I realized my brain wasn’t working properly anymore, and decided to get some sleep. Next day, after spending hours debugging ikiwiki’s code, I finally found out where the bug was.

ASAP I contacted Joey Hess (ikiwiki’s creator) and the Debian Security Team in order to disclose the vulnerability. Their work was flawless and fast, and a few hours later the bug was disclosed with CVE ID CVE-2012-0220. An advisory was made with DSA ID DSA-2474.