MediaWiki Cross Site Scripting and CSS Image Injection Vulnerabilities


Description   Multiple vulnerabilities have been identified in MediaWiki, which could be exploited to inject scripting code or bypass restrictions.
The first issue is caused by an input validation error when handling file extensions, which could allow cross site scripting attacks.
The second vulnerability is caused by an input validation error in the wikitext parser when handling CSS data, which could allow cross site scripting or information disclosure.
The third issue is caused by an access validation error within the transwiki import feature when handling form submissions, which could allow wiki pages to be copied from a remote wiki listed in "$wgImportSources".
     
Vulnerable Products   Vulnerable Software:
MediaWiki versions prior to 1.16.3
     
Solution   Upgrade to MediaWiki version 1.16.3 : http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.3.tar.gzOr apply patch for MediaWiki version 1.16.2 : http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.3.patch.gzhttp://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.3.patch.gz
     
CVE   CVE-2011-1580
CVE-2011-1579
CVE-2011-1578
     
References   http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-April/000096.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
XSS - Prevention - POST : suspicious tag with event found in data
3.2.0
XSS - Prevention - POST : suspicious 'meta' tag found in data
3.2.0
XSS - Prevention - POST : suspicious 'object' tag found in data
3.2.0
XSS - Prevention - POST : suspicious 'applet' tag found in data
3.2.0
XSS - Prevention - POST : 'location' javascript object found in data
3.2.0
XSS - Prevention - POST : javascript code found in data
3.2.0
XSS - Prevention - POST : suspicious 'iframe' tag found in data
3.2.0
XSS - Prevention - POST : code allowing cookie access found in data
3.2.0
XSS - Prevention - POST : suspicious 'img' attribute found in data
3.2.0
XSS - Prevention - POST : suspicious 'embed' tag found in data
3.2.0
XSS - Prevention - POST : suspicious 'style' tag found in data
3.2.0
XSS - Prevention - POST : suspicious 'div' tag found in data
3.2.0
XSS - Prevention - POST : 'script' tag found in data
3.2.0
XSS - Prevention - POST : suspicious 'style' attribute found in data
3.2.0
XSS - Prevention - POST : suspicious 'style' tag found in data
5.0.0
XSS - Prevention - POST : javascript code found in data
5.0.0
XSS - Prevention - POST : suspicious tag with event found in data
5.0.0
XSS - Prevention - POST : suspicious 'embed' tag found in data
5.0.0
XSS - Prevention - POST : 'location' javascript object found in data
5.0.0
XSS - Prevention - POST : code allowing cookie access found in data
5.0.0
XSS - Prevention - POST : 'script' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'style' attribute found in data
5.0.0
XSS - Prevention - POST : suspicious 'applet' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'div' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'img' attribute found in data
5.0.0
XSS - Prevention - POST : suspicious 'meta' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'object' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'iframe' tag found in data
5.0.0
     


 
 
 
 
 Risk level 
Low 

 Vulnerability First Public Report Date 
2011-04-14 

 Target Type 
Client 

 Possible exploit 
Local & Remote