Respected Sir, Your website "webconverger.org" is vulnerable to XSS Attack. Vulnerable Links: webconverger.org/ikiwiki.cgi?action=verify&do=signin&openid_identifier=1 How To Reproduce The Vulnerability : 1. Go to this link : webconverger.org/ikiwiki.cgi?action=verify&do=signin&openid_identifier=1 2. refresh the page and intercept the http request using "brup suite" then at parameter "openid_identifier=" put xss payload 3. forward the request XSS Payload : 1. `">` 2. `">` 3. `">` NOTE : Proof of concept is attached. Thank You...!! Your Faithfully, Raghav Bisht raghav007bisht@gmail.com > Thanks Raghav for reporting this issue. I've fixed it in ikiwiki. > > --[[Joey]] >> [[Fix released|done]] as [[news/version_3.20150329]]. >> >> Please try to report security vulnerabilities in private first, >> to give maintainers a chance to fix them without making it easier >> for attackers to exploit the newly discovered vulnerability >> until the maintainer can respond ("[[!wikipedia responsible disclosure]]"). >> In this particular case, I was away from my computer for a few days >> and was unable to make a release until I got back. --[[smcv]] > Are versions `3.20120629` or `3.20130904.1~bpo70+1` vulnerable? (`wheezy` and > `wheezy-backports`, respectively) — [[Jon]] >> 3.20120629 is vulnerable; fixed in 3.20120629.2, which is in the proposed-updates >> queue (the security team declined to issue a DSA). The blogspam plugin doesn't >> work in wheezy either; again, a fix is in the proposed-updates queue. >> >> 3.20130904.1~bpo70+1 is almost certainly vulnerable, it looks as though someone >> has done a drive-by backport but not kept it updated. None of ikiwiki's Debian >> maintainers are involved in that backport; the .deb from jessie (or even from >> experimental) works fine on wheezy without recompilation. I use the latest >> upstream release from experimental on my otherwise-Debian-7 server. --[[smcv]]