Shindig Security Issues

Please note that, except in rare circumstances, binary patches are not produced for individual vulnerabilities. To obtain the binary fix for a particular vulnerability you should upgrade to an Apache Shindig version where that vulnerability has been fixed.

Source patches, usually in the form of references to SVN commits, may be provided in either in a vulnerability announcement and/or the vulnerability details listed on these pages. These source patches may be used by users wishing to build their own local version of Shindig with just that security patch rather than upgrade.

Shindig 2.5.0 Vulnerabilities

Information disclosure CVE-2013-4295

The gadget renderer in the PHP version of Apache Shindig is subject to an XML External Entity (XXE) Injection attack. The vulnerability allows a malicious gadget author to construct paths to content on the gadget rendering server which in turn will display the content in the gadget iframe.

This was fixed in revision 1526307.

This issue was discovered by Kousuke Ebihara on 12 Aug 2013 and made public on 21 Oct 2013.

Affects: 2.5.0 (PHP)

Fixed In: 2.5.0-update1