https://bugzilla.wikimedia.org/show_bug.cgi?id=34257
Alex Tanchoco <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] | |g --- Comment #6 from Alex Tanchoco <[email protected]> 2012-04-04 20:23:59 UTC --- Hello, I just want to share this with the Mediawiki community for reference. A vulnerability scan of a Mediawiki 1.18.1 installation was falsely flagged as positive on an XSS injection attempt. The injection url looks something like "https://site-address/load.php?debug=false&lang=en&modules=mediawiki.legacy.common..."; and was replaced with "https://site-address/load.php?debug=false&lang=<script>somescript&modules=mediawiki.legacy.common..." Mediawiki correctly issued a message saying that "<script>somescript" is an invalid language code but the vulnerability scanner falsely interpreted the echoed message as a positive injection. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
