greg.grimes at msstate.edu
Wed Jun 25 22:19:52 CDT 2008
Anytime a POST or GET request is sent and there is no sanitation of the input
you have the potential for SQL Injection, XSS, File Injection(which is what I
think you are thinking about), and various other attacks. The way this vuln
works is anytime the AuthForm is called it takes the URI and puts it in the
<form> tag. Also, contrary to what DaveG said, your PmWiki is vulnerable also.
Firefox thankfully prevents this type of thing, but IE doesn't. Open the
following URL in IE and you will get a popup box with XSS in it. Now, this is
only a proof of concept and it is EASILY spotted, but a malicious person could
easily make it look like a legitimate link for you to follow and then when you
click on it, you actually get redirected to another site, or it could load
payload. You could even change the alert("XSS") to window.print() and it'll
bring up the browser's print dialogue. Here is the link:
Just remember to ALWAYS sanitize user input. Even XKCD agrees:
Quoting Petko Yotov <5ko at 5ko.fr>:
> On Wednesday 25 June 2008 16:12:35 Greg T. Grimes wrote:
> > I am fairly new to PmWiki development and bug tracking. Can someone
> > explain the process of getting this bug fixed? I see someone "voted" a 5
> > for it, does this mean the person agrees? Again, I'm new and just
> > wondering. Thank you.
> I am copying my question to the list:
> How could possibly the current $_SERVER['REQUEST_URI'] variable be a serious
> cross-site scripting vulnerability for anyone else than the browser which is
> calling the login form with an invalid url (non-stripped tags...)? What
> exactly client-side code could be executed?
> Feel free to demonstrate the vulnerability on my wiki which is located at
> http://galleries.accent.bg/Cookbook .
> Thanks a lot.
> pmwiki-devel mailing list
> pmwiki-devel at pmichaud.com
More information about the pmwiki-devel