CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
AI Score
Confidence
High
EPSS
Percentile
60.3%
A cross-site scripting vulnerability exists in this installation of MediaWiki that allows an attacker to execute arbitrary script code in the browser of an unsuspecting user. Such script code could steal authentication credentials and be used to launch other attacks.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(53449);
script_version("1.13");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/05");
script_cve_id("CVE-2011-1587");
script_bugtraq_id(47354);
script_xref(name:"SECUNIA", value:"44142");
script_name(english:"MediaWiki API XSS");
script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a version of MediaWiki that is affected by
a cross-site scripting vulnerability.");
script_set_attribute(attribute:"description", value:
"A cross-site scripting vulnerability exists in this installation of
MediaWiki that allows an attacker to execute arbitrary script code in
the browser of an unsuspecting user. Such script code could steal
authentication credentials and be used to launch other attacks.");
# http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-April/000097.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bb194760");
script_set_attribute(attribute:"see_also", value:"https://phabricator.wikimedia.org/T30507");
script_set_attribute(attribute:"solution", value:
"Upgrade to MediaWiki 1.16.4 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
script_set_attribute(attribute:"vuln_publication_date", value:"2011/04/12");
script_set_attribute(attribute:"patch_publication_date", value:"2011/04/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2011/04/15");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:mediawiki:mediawiki");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses : XSS");
script_copyright(english:"This script is Copyright (C) 2011-2024 Tenable Network Security, Inc.");
script_dependencies("mediawiki_detect.nasl");
script_require_keys("installed_sw/MediaWiki", "www/PHP");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");
app = "MediaWiki";
get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:80, php:TRUE);
install = get_single_install(
app_name : app,
port : port
);
dir = install['path'];
# Create a query to trigger the vulnerability.
xss = "action=query&meta=siteinfo&format=json&siprop=<body+onload=alert('XSS')>.html?";
exploit = test_cgi_xss(
port : port,
dirs : make_list(dir),
cgi : "/api%2Ephp",
qs : xss,
pass_str : "<body onload=alert('XSS')>",
ctrl_re : '{"warnings":'
);
if (!exploit)
audit(AUDIT_WEB_APP_NOT_AFFECTED, app, build_url(qs:dir, port:port));