[Mediawiki-l] Cross Site Scripting bug in 1.5b4
Wolfe, Jeff
Jeff_Wolfe at intuit.com
Thu Aug 25 00:11:23 UTC 2005
Hi All,
I apologize if this isn't the place to report this, but an colleague and I
uncovered a cross site scripting bug that seems to be in the 1.5 branch.
I've seen it in 1.5b4. Exploiting it easy. The contents of the search box
are placed verbatim on the search results page. This means you can place
any HTML you want in the search and up it comes. Since the search
parameters are passed on the URL, it's a no-brainer to create an URL with
offending content. Add the following URL to any 1.5b4 site and you should
see a java script alert box pop up:
index.php/Special:Search?search=%3Cbody+onload%3D%22javascript%3Aalert%28%27
cross+site+script+testing+shows+you+are+vulnerable%27%29%3B%22%3E%3Cb%3E%3Ci
%3Ecross+site+script+test%3C%2Fi%3E%3C%2Fb%3E%3C%2Fbody%3E
As example in the wild (sorry, Gentoo) as of this writing:
http://gentoo-wiki.com/index.php/Special:Search?search=%3Cbody+onload%3D%22j
avascript%3Aalert%28%27cross+site+script+testing+shows+you+are+vulnerable%27
%29%3B%22%3E%3Cb%3E%3Ci%3Ecross+site+script+test%3C%2Fi%3E%3C%2Fb%3E%3C%2Fbo
dy%3E
I have not seen this earlier than the 1.5 branch, and it would seem
Wikipedia and a few others are doing something different from the default
which prevents the issue. One simple workaround is to change the
'searchquery' message to not use the $1 parameter for now.
Keep the faith,
Jeff
More information about the MediaWiki-l
mailing list