Vulnerable versions:
MediaWiki 1.9.2 (latest) and below.
Description:
MediaWiki v1.8.2 and below are vulnerable to plain Cross-site scripting
attack by expliting the experimental AJAX features, if enabled (default).
This XSS was fixed in post 1.8.2 versions (1.8.3, 1.9.0rc2, 1.9.0, 1.9.1,
1.9.2). This fix can be bypassed by encoding the XSS exploit to UTF-7.
note: browsers encoding auto-detection has to be enabled for successful
explitation.
Proof-of-concept:
http://[Host]/wiki/index.php?action=ajax&rs=[XSS]
UTF-7 XSS in post 1.8.2 versions.
Credit:
Moshe BA from BugSec
Tel:+972-3-9622655
Email: Info [^A-t] BugSec *D.O.T* com
BugSec LTD. - www.BugSec.com
http://www.bugsec.com/articles.php?Security=24
Feedback :
If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.