https://bugzilla.wikimedia.org/show_bug.cgi?id=67527
Bug ID: 67527
Summary: Potential xss issue
Product: MediaWiki
Version: 1.20.x
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: major
Priority: Unprioritized
Component: General/Unknown
Assignee: [email protected]
Reporter: [email protected]
Web browser: ---
Mobile Platform: ---
Hello ,
An appscan audit (security tool) on mediawiki (version 1.20.3) revealed a
potential XSS issue.
In fact the tool set the value of the parameter 'section' to
''a'onmouseover='alert(921)'' in the request and it was embeded in the
response.
Bellow the Request/Response sent/received by the tool.
Could you please check this issue?
Request/Response:
GET /plugins/mediawiki/wiki/index.php?title=Main_Page&action=edit&
section='a'onmouseover='alert(921)' HTTP/1.1
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: /plugins/mediawiki/index.php/Main_Page
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
HTTP/1.0 200 OK
X-Content-Type-Options: nosniff
Content-language: en
X-Frame-Options: DENY
Vary: Accept-Encoding,Cookie
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
content-style-type: text/css
"> <!-- FUSIONFORGE BodyHeader BEGIN --> <!DOCTYPE html> <html lang="en">
<head> <meta
http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Mediawiki-
/plugins/mediawiki/wiki/index.php?title=Main_Page&action=edit§ion=
'a'onmouseover='alert(
921)' -Test</title> <link rel="SHORTCUT ICON"
href="/themes/images/favicon.ico"><!--[if IE 7]> <script
type="text/javascript">window.CKEDITOR_BASEPATH = "/scripts/ckeditor-fo
...
...
"> <!-- FUSIONFORGE BodyHeader BEGIN --> <!DOCTYPE html> <html lang="en">
<head> <meta
http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Mediawiki-
/plugins/mediawiki/wiki/index.php?title=Main_Page&action=edit§ion=
'a'onmouseover='alert(
921)' -Test</title>
...
...
<!-- start content -->
<div id="mw-content-text"><div id="wikiPreview" class="ontop" style="display:
none;"></div><form id="editform" name="editform" method="post"
action="/plugins/mediawiki/wiki/index.php?
title=Main_Page&action=submit" enctype="multipart/form-data"><input
type='hidden' value="'a'onmouseover='alert(921)'" name="wpSection" />
<input type='hidden' value="20140704094732" name="wpStarttime" />
...
...
Thank you
Amin
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
