MediaWiki Cross-site Scripting Vulnerabilities. 


Date: 
18/02/2007 


Vendor: 
MediaWiki 


URL:
http://www.mediawiki.org/


Vulnerable versions: 
MediaWiki 1.9.2 (latest) is vulnerable. 
1.6.x branch before 1.6.10
1.7.x branch before 1.7.3
1.8.x branch before 1.8.4
1.9.x branch before 1.9.3


Description: 
MediaWiki v1.8.2 and below are vulnerable to plain Cross-site scripting attack by expliting the experimental AJAX features, 
if enabled (default). This XSS was fixed in post 1.8.2 versions (1.8.3, 1.9.0rc2, 1.9.0, 1.9.1, 1.9.2). This fix can be 
bypassed by encoding the XSS exploit to UTF-7. note: browsers encoding auto-detection has to be enabled for successful 
explitation. 

Input passed to the "rs" parameter in index.php (when "action" is set to "ajax") is not properly sanitised from UTF-7 data 
before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser 
session in context of an affected site. 
Successful exploitation requires that $wgUseAjax is set to true (not default setting) and that the target user uses Internet 
Explorer with encoding auto-detection enabled. 

Proof-of-concept: 
http://[Host]/wiki/index.php?action=ajax&rs=[XSS] 
UTF-7 XSS in post 1.8.2 versions. 

Examples: 
v1.8.2 and below - MediaWiki Cross-site Scripting Vulnerability: 
http://[Host]/wiki/index.php?action=ajax&rs=%3Cscript%3Ealert('xss')%3C/script%3E 

v1.8.3 - v1.9.2 - MediaWiki UTF-7 Cross-site Scripting Vulnerability
http://[Host]/wiki/index.php?action=ajax&rs=+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- 
http://[Host]/wiki/index.php?action=ajax&rs=%2B%41%44%77%2D%53%43%52%49%50%54%2B%41%44%34%2D%61%6C%65%72%74%28%27%58%53%53%27%29%3B%2B%41%44%77%2D%2F%53%43%52%49%50%54%2B%41%44%34%2D (URL Encoded) 


Solution: 
Update to version 1.6.10, 1.7.3, 1.8.4, or 1.9.3. 


Credit: 
Moshe BA from BugSec 
Tel:+972-3-9622655 
Fax:+972-3-9511433 
Email: Info [^A-t] BugSec \*D.O.T*\ com 
BugSec LTD. - www.BugSec.com 
Security Consulting Company