[pmwiki-users] Cross Site Scripting

Petko Yotov 5ko at 5ko.fr
Fri Apr 19 19:16:29 CDT 2013 

What was the previous PmWiki version which didn't have XSS?

This is very likely not something related to PmWiki 2.2.49. When a browser  
requests an URL like 
http://ella.shadlenlab.columbia.edu/undefined1<ScRiPt>prompt(933131)</ScRiPt>  
this request is very likely NOT processed by PmWiki at all.

If a browser requests a URL in the pmwiki/pub directory, the request is NOT  
processed by PmWiki at all. Same for the other directories you listed below.

You should check your ErrorDocument 404 files, which may be vulnerable.

Or, it may be that some of your recipes is vulnerable, but what you posted  
doesn't look like it.

Only the requests to /index.php and /pmwiki/index.php are suspicious - if  
you have such files, check their content. The one in the pmwiki/ directory  
should only include or require pmwiki.php like this:

   <?php include_once('pmwiki.php');


Petko


Maria McKinley writes:
> « HTML content follows »
>
> Hi there,
>
> I have upgraded PmWiki to Version 2.2.49, and have add this line to  
> config.php   
> <URL:http://www.pmwiki.org/wiki/PmWiki/UploadVariables#UploadBlacklist>$Uploa 
> dBlacklist = array('.php', '.pl', '.cgi', '.py', '.shtm', '.phtm', '.pcgi',  
> '.asp', '.jsp', '.sh');
>
> However, my university won't let our web server through their firewall  
> because they say that the site is vulnerable to Cross Site Scripting. They  
> say it affects the following directories:
>
>
>
> Affects Variation
> / 3
> /index.php 1
> /pictures 1
> /pmwiki 3
> /pmwiki/cache 1
> /pmwiki/image 1
> /pmwiki/index.php 1
> /pmwiki/pub 1
> /pmwiki/pub/css 1
> /pmwiki/pub/skins 1
> /pmwiki/pub/skins/parchment 1
> /pmwiki/uploads
>
>
> Here are the details for the first one:
>
>
>
> Details
> /
> URI was set to undefined1<ScRiPt>prompt(933131)</ScRiPt>
> The input is reflected inside a text element.
> GET /undefined1<ScRiPt>prompt(933131)</ScRiPt> HTTP/1.1
> Cookie: _setdiv20=show; _setdiv22=show; _setdiv30=show; _setdiv1=hide;  
> _setdiv2=show;
> _setdiv10=show
> Host: <URL:http://ella.shadlenlab.columbia.edu>ella.shadlenlab.columbia.edu
> Connection: Keep-alive
> Accept-Encoding: gzip,deflate
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;  
> Trident/5.0)
> Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
> Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
> Acunetix-User-agreement:  
> <URL:http://www.acunetix.com/wvs/disc.htm>http://www.acunetix.com/wvs/disc.htm
> Accept: */*
> Request headers
> Details
> /
> URI was set to undefined1<ScRiPt>prompt(970217)</ScRiPt>
> The input is reflected inside a text element.
> GET /undefined1<ScRiPt>prompt(970217)</ScRiPt> HTTP/1.1
> Cookie: _setdiv20=show; _setdiv22=show; _setdiv30=show; _setdiv1=hide;  
> _setdiv2=show;
> _setdiv10=show
> Host: <URL:http://ella.shadlenlab.columbia.edu>ella.shadlenlab.columbia.edu
> Connection: Keep-alive
> Accept-Encoding: gzip,deflate
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;  
> Trident/5.0)
> Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
> Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
> Acunetix-User-agreement:  
> <URL:http://www.acunetix.com/wvs/disc.htm>http://www.acunetix.com/wvs/disc.htm
> Accept: */*
>
>
> Any ideas what I can do about this? They won't let my server run until this  
> is fixed. thanks,
> maria

More information about the pmwiki-users mailing list