BID:21956

MediaWiki AJAX Index.PHP Cross-Site Scripting Vulnerability

Info

MediaWiki AJAX Index.PHP Cross-Site Scripting Vulnerability

Bugtraq ID:	21956
Class:	Input Validation Error
CVE:	CVE-2007-0177
Remote:	Yes
Local:	No
Published:	Jan 09 2007 12:00AM
Updated:	Apr 16 2007 07:01PM
Credit:	Moshe Ben-Abu from BugSec is credited with the discovery of this vulnerability.
Vulnerable:	S.u.S.E. openSUSE 10.2 MediaWiki MediaWiki 1.9.2 MediaWiki MediaWiki 1.9.1 MediaWiki MediaWiki 1.8.3 MediaWiki MediaWiki 1.8.2 MediaWiki MediaWiki 1.8.1 MediaWiki MediaWiki 1.8 MediaWiki MediaWiki 1.7.2 MediaWiki MediaWiki 1.7.1 MediaWiki MediaWiki 1.7 MediaWiki MediaWiki 1.6.9 MediaWiki MediaWiki 1.6.8 MediaWiki MediaWiki 1.6.7 MediaWiki MediaWiki 1.6.6 MediaWiki MediaWiki 1.6.5 MediaWiki MediaWiki 1.6.4 MediaWiki MediaWiki 1.6.3 MediaWiki MediaWiki 1.6.2 MediaWiki MediaWiki 1.6.1 MediaWiki MediaWiki 1.6 MediaWiki MediaWiki 1.5.8 MediaWiki MediaWiki 1.5.7 MediaWiki MediaWiki 1.5.6 MediaWiki MediaWiki 1.5.4 MediaWiki MediaWiki 1.5.3 MediaWiki MediaWiki 1.5.2 MediaWiki MediaWiki 1.5.1 MediaWiki MediaWiki 1.5 beta3 MediaWiki MediaWiki 1.5 beta2 MediaWiki MediaWiki 1.5 beta1 MediaWiki MediaWiki 1.5 alpha2 MediaWiki MediaWiki 1.5 alpha1 MediaWiki MediaWiki 1.5 .0 MediaWiki MediaWiki 1.4.15 MediaWiki MediaWiki 1.4.14 MediaWiki MediaWiki 1.4.12 MediaWiki MediaWiki 1.4.11 MediaWiki MediaWiki 1.4.10 + S.u.S.E. beagle 10.0 + S.u.S.E. Linux Personal 10.0 OSS + S.u.S.E. Linux Personal 9.3 x86_64 + S.u.S.E. Linux Personal 9.3 + S.u.S.E. Linux Professional 10.0 OSS + S.u.S.E. Linux Professional 10.0 + S.u.S.E. Linux Professional 9.3 x86_64 + S.u.S.E. Linux Professional 9.3 MediaWiki MediaWiki 1.4.9 MediaWiki MediaWiki 1.4.8 MediaWiki MediaWiki 1.4.7 MediaWiki MediaWiki 1.4.6 MediaWiki MediaWiki 1.4.5 MediaWiki MediaWiki 1.4.3 MediaWiki MediaWiki 1.4.2 MediaWiki MediaWiki 1.4.1 MediaWiki MediaWiki 1.4 beta6 MediaWiki MediaWiki 1.4 beta5 MediaWiki MediaWiki 1.4 beta4 MediaWiki MediaWiki 1.4 beta3 MediaWiki MediaWiki 1.4 beta2 MediaWiki MediaWiki 1.4 beta1 MediaWiki MediaWiki 1.3.13 MediaWiki MediaWiki 1.3.11 + Gentoo Linux MediaWiki MediaWiki 1.3.10 MediaWiki MediaWiki 1.3.9 MediaWiki MediaWiki 1.3.8 MediaWiki MediaWiki 1.3.7 MediaWiki MediaWiki 1.3.6 MediaWiki MediaWiki 1.3.5 MediaWiki MediaWiki 1.3.4 MediaWiki MediaWiki 1.3.3 MediaWiki MediaWiki 1.3.2 MediaWiki MediaWiki 1.3.1 MediaWiki MediaWiki 1.3 MediaWiki MediaWiki 1.9.0rc2 MediaWiki MediaWiki 1.9.0rc1

Not Vulnerable:

Discussion

MediaWiki AJAX Index.PHP Cross-Site Scripting Vulnerability

MediaWiki is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

UPDATE: Although a fix was issued to address this issue, attackers may bypass the fix by encoding an exploit in UTF-7.

Exploit / POC

MediaWiki AJAX Index.PHP Cross-Site Scripting Vulnerability

To exploit this issue, an attacker must entice an unsuspecting user to follow a malicious URI.

The following proof-of-concept URIs are available:

/data/vulnerabilities/exploits/21956.html

Solution / Fix

MediaWiki AJAX Index.PHP Cross-Site Scripting Vulnerability

Solution:
Although the vendor released an update to address this issue, further reports show that the fix failed to properly address this vulnerability.

Please see the references for further information.

References

MediaWiki AJAX Index.PHP Cross-Site Scripting Vulnerability

References:

1.6.9 Release Notes (MediaWiki)
1.7.2 Release Notes (MediaWiki)
1.8.3 Release Notes (MediaWiki)
1.9.02c2 Release Notes (MediaWiki)
MediaWiki 1.6.9, 1.7.2, 1.8.3, 1.9.0rc2 released (MediaWiki)
MediaWiki Homepage (MediaWiki)
MediaWiki Cross-site Scripting (Moshe BA from BugSec)