Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2010-2024 Tenable Network Security, Inc.MEDIAWIKI_LOGIN_CSRF.NASL
HistoryApr 07, 2010 - 12:00 a.m.

MediaWiki Login Cross-Site Request Forgery

2010-04-0700:00:00
This script is Copyright (C) 2010-2024 Tenable Network Security, Inc.
www.tenable.com
16

7.1 High

AI Score

Confidence

Low

JSON

The version of MediaWiki running on the remote host is affected by a cross-site request forgery vulnerability involving its login page. A user with a valid wiki account can cause others to unwittingly log into that account.

A remote attacker can exploit this by tricking a user into making a maliciously crafted request, causing them to log into the attacker’s account. If the wiki is configured to allow user scripts, this could allow the attacker to obtain the victim’s password.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(45438);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/05");
  script_bugtraq_id(39270);
  script_xref(name:"SECUNIA", value:"39333");

  script_name(english:"MediaWiki Login Cross-Site Request Forgery");

  script_set_attribute(attribute:"synopsis", value:
"A web application running on the remote host is affected by a
cross-site request forgery vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of MediaWiki running on the remote host is affected by a
cross-site request forgery vulnerability involving its login page. A
user with a valid wiki account can cause others to unwittingly log
into that account.

A remote attacker can exploit this by tricking a user into making a
maliciously crafted request, causing them to log into the attacker's
account. If the wiki is configured to allow user scripts, this could
allow the attacker to obtain the victim's password.");
  # http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e2e32ad4");
  script_set_attribute(attribute:"solution", value:
"Upgrade to MediaWiki 1.15.3 / 1.6.0beta2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/04/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/04/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/04/07");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mediawiki:mediawiki");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2010-2024 Tenable Network Security, Inc.");

  script_dependencies("mediawiki_detect.nasl");
  script_require_keys("installed_sw/MediaWiki", "www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

app = "MediaWiki";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(
  app_name : app,
  port     : port
);

dir = install['path'];
install_url = build_url(qs:dir, port:port);

url = '/index.php?title=Special:UserLogin';
res = http_send_recv3(method:'GET', item:dir+url, port:port, exit_on_fail:TRUE);

# First make sure this looks like the MediaWiki login page.
if (
  '<title>Log in / create account' >!< res[2] &&
  "<input type='password' class='loginPassword'" >!< res[2]
)
{
  login_url = build_url(qs:dir+url, port:port);
  exit(0, login_url+' does not appear to be the MediaWiki login page.');
}

# Then check if the anti-csrf token is present.
token_pattern = '<input type="hidden" name="wpLoginToken" value="[0-9a-f]+" />';
if (egrep(string:res[2], pattern:token_pattern))
{
  audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);
}
else
{
  set_kb_item(name:'www/'+port+'/XSRF', value:TRUE);
  if (report_verbosity > 0)
  {
    report = '\n' +
      'Nessus was able to verify the issue exists using the following ' +
      'URL :\n' +
      '\n' + install_url + url + '\n';
    security_note(port:port, extra:report);
  }
  else security_note(port);
  exit(0);
}
VendorProductVersionCPE
mediawikimediawikicpe:/a:mediawiki:mediawiki

7.1 High

AI Score

Confidence

Low

JSON