<div dir="ltr">I didn't mean to imply that my previous version of pmwiki didn't have this issue. I was just mentioning the version, since I was under the impression that the version I have now is suppose to have fixed some cross scripting vulnerabilities. I don't know very much about this vulnerability, but now that I look more closely at their report, it affects pretty much all of my pmwiki site, as well as some non-pmwiki bits. It appears they want me to install something like this:<div>
<br></div><div><a href="http://htmlpurifier.org/">http://htmlpurifier.org/</a><br></div><div><br></div><div style>I don't know anything about it. Has anyone tried to run something like this on a pmwiki site? </div><div style>
<br></div><div style>thanks,</div><div style>maria</div><div style><br></div><div style><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Apr 19, 2013 at 5:16 PM, Petko Yotov <span dir="ltr"><<a href="mailto:5ko@5ko.fr" target="_blank">5ko@5ko.fr</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">What was the previous PmWiki version which didn't have XSS?<br>
<br>
This is very likely not something related to PmWiki 2.2.49. When a browser requests an URL likehttp://<a href="http://ella.shadlenlab.columbia.edu/undefined1" target="_blank">ella.shadlenlab.<u></u>columbia.edu/undefined1</a><<u></u>ScRiPt>prompt(933131)</ScRiPt> this request is very likely NOT processed by PmWiki at all.<br>
<br>
If a browser requests a URL in the pmwiki/pub directory, the request is NOT processed by PmWiki at all. Same for the other directories you listed below.<br>
<br>
You should check your ErrorDocument 404 files, which may be vulnerable.<br>
<br>
Or, it may be that some of your recipes is vulnerable, but what you posted doesn't look like it.<br>
<br>
Only the requests to /index.php and /pmwiki/index.php are suspicious - if you have such files, check their content. The one in the pmwiki/ directory should only include or require pmwiki.php like this:<br>
<br>
<?php include_once('pmwiki.php');<br>
<br>
<br>
Petko<br>
<br>
<br>
Maria McKinley writes:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
« HTML content follows »<br>
<br>
Hi there,<br>
<br>
I have upgraded PmWiki to Version 2.2.49, and have add this line to config.php <URL:<a href="http://www.pmwiki.org/wiki/PmWiki/UploadVariables#UploadBlacklist" target="_blank">http://www.pmwiki.org/<u></u>wiki/PmWiki/UploadVariables#<u></u>UploadBlacklist</a>>$<u></u>UploadBlacklist = array('.php', '.pl', '.cgi', '.py', '.shtm', '.phtm', '.pcgi', '.asp', '.jsp', '.sh');<div class="im">
<br>
<br>
However, my university won't let our web server through their firewall because they say that the site is vulnerable to Cross Site Scripting. They say it affects the following directories:<br>
<br>
<br>
<br>
Affects Variation<br>
/ 3<br>
/index.php 1<br>
/pictures 1<br>
/pmwiki 3<br>
/pmwiki/cache 1<br>
/pmwiki/image 1<br>
/pmwiki/index.php 1<br>
/pmwiki/pub 1<br>
/pmwiki/pub/css 1<br>
/pmwiki/pub/skins 1<br>
/pmwiki/pub/skins/parchment 1<br>
/pmwiki/uploads<br>
<br>
<br>
Here are the details for the first one:<br>
<br>
<br>
<br>
Details<br>
/<br>
URI was set to undefined1<ScRiPt>prompt(<u></u>933131)</ScRiPt><br>
The input is reflected inside a text element.<br>
GET /undefined1<ScRiPt>prompt(<u></u>933131)</ScRiPt> HTTP/1.1<br>
Cookie: _setdiv20=show; _setdiv22=show; _setdiv30=show; _setdiv1=hide; _setdiv2=show;<br>
_setdiv10=show<br></div>
Host: <URL:<a href="http://ella.shadlenlab.columbia.edu" target="_blank">http://ella.shadlenlab.<u></u>columbia.edu</a>><a href="http://ella.shadlenlab.columbia.edu" target="_blank">ella.shadlenlab.<u></u>columbia.edu</a><div class="im">
<br>
Connection: Keep-alive<br>
Accept-Encoding: gzip,deflate<br>
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)<br>
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)<br>
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED<br></div>
Acunetix-User-agreement: <URL:<a href="http://www.acunetix.com/wvs/disc.htm" target="_blank">http://www.acunetix.com/<u></u>wvs/disc.htm</a>><a href="http://www.acunetix.com/wvs/disc.htm" target="_blank">http://www.<u></u>acunetix.com/wvs/disc.htm</a><div class="im">
<br>
Accept: */*<br>
Request headers<br>
Details<br>
/<br>
URI was set to undefined1<ScRiPt>prompt(<u></u>970217)</ScRiPt><br>
The input is reflected inside a text element.<br>
GET /undefined1<ScRiPt>prompt(<u></u>970217)</ScRiPt> HTTP/1.1<br>
Cookie: _setdiv20=show; _setdiv22=show; _setdiv30=show; _setdiv1=hide; _setdiv2=show;<br>
_setdiv10=show<br></div>
Host: <URL:<a href="http://ella.shadlenlab.columbia.edu" target="_blank">http://ella.shadlenlab.<u></u>columbia.edu</a>><a href="http://ella.shadlenlab.columbia.edu" target="_blank">ella.shadlenlab.<u></u>columbia.edu</a><div class="im">
<br>
Connection: Keep-alive<br>
Accept-Encoding: gzip,deflate<br>
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)<br>
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)<br>
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED<br></div>
Acunetix-User-agreement: <URL:<a href="http://www.acunetix.com/wvs/disc.htm" target="_blank">http://www.acunetix.com/<u></u>wvs/disc.htm</a>><a href="http://www.acunetix.com/wvs/disc.htm" target="_blank">http://www.<u></u>acunetix.com/wvs/disc.htm</a><div class="im">
<br>
Accept: */*<br>
<br>
<br>
Any ideas what I can do about this? They won't let my server run until this is fixed. thanks,<br>
maria<br>
</div></blockquote>
<br>
______________________________<u></u>_________________<br>
pmwiki-users mailing list<br>
<a href="mailto:pmwiki-users@pmichaud.com" target="_blank">pmwiki-users@pmichaud.com</a><br>
<a href="http://www.pmichaud.com/mailman/listinfo/pmwiki-users" target="_blank">http://www.pmichaud.com/<u></u>mailman/listinfo/pmwiki-users</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Maria Mckinley<br>Programmer and System Administrator
</div>