[pmwiki-users] Cross Site Scripting

Maria McKinley mariak at mariakathryn.net
Fri Apr 19 16:14:43 CDT 2013 

Hi there,

I have upgraded PmWiki to Version 2.2.49, and have add this line to
config.php  $UploadBlacklist<http://www.pmwiki.org/wiki/PmWiki/UploadVariables#UploadBlacklist>=
array('.php', '.pl', '.cgi', '.py', '.shtm', '.phtm', '.pcgi', '.asp',
'.jsp', '.sh');

However, my university won't let our web server through their firewall
because they say that the site is vulnerable to Cross Site Scripting. They
say it affects the following directories:

Affects Variation
/ 3
/index.php 1
/pictures 1
/pmwiki 3
/pmwiki/cache 1
/pmwiki/image 1
/pmwiki/index.php 1
/pmwiki/pub 1
/pmwiki/pub/css 1
/pmwiki/pub/skins 1
/pmwiki/pub/skins/parchment 1
/pmwiki/uploads

Here are the details for the first one:

Details
/
URI was set to undefined1<ScRiPt>prompt(933131)</ScRiPt>
The input is reflected inside a text element.
GET /undefined1<ScRiPt>prompt(933131)</ScRiPt> HTTP/1.1
Cookie: _setdiv20=show; _setdiv22=show; _setdiv30=show; _setdiv1=hide;
_setdiv2=show;
_setdiv10=show
Host: ella.shadlenlab.columbia.edu
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
Trident/5.0)
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: */*
Request headers
Details
/
URI was set to undefined1<ScRiPt>prompt(970217)</ScRiPt>
The input is reflected inside a text element.
GET /undefined1<ScRiPt>prompt(970217)</ScRiPt> HTTP/1.1
Cookie: _setdiv20=show; _setdiv22=show; _setdiv30=show; _setdiv1=hide;
_setdiv2=show;
_setdiv10=show
Host: ella.shadlenlab.columbia.edu
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
Trident/5.0)
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: */*

Any ideas what I can do about this? They won't let my server run until this
is fixed. thanks,
maria
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20130419/d14eae5d/attachment.html>

More information about the pmwiki-users mailing list