[pmwiki-users] Cross Site Scripting
Petko Yotov
5ko at 5ko.fr
Sat Apr 20 02:10:52 CDT 2013
Maria McKinley writes:
> I was under the impression
> that the version I have now is suppose to have fixed some cross scripting
> vulnerabilities.
Yes, it is supposed to have fixed all vulnerabilities that were demonstrated
to me. And in most cases they were fixed in a new version the day when I
knew about them (in the few other cases, the next day).
> I don't know very much about this vulnerability, but now
> that I look more closely at their report, it affects pretty much all of my
> pmwiki site, as well as some non-pmwiki bits.
This is why I suggested to look at your ErrorDocument 404 file. If you have
such a file which is executed when a browser requests a document which
doesn't exist, it is possible that that file tells the visitor:
Sorry, the file you requested "<?php echo $_SERVER['REQUEST_URI']; ?>"
was not found
and this will allow XSS injections if the variable is not correctly
sanitized.
> It appears they want me to
> install something like this:
> <URL:http://htmlpurifier.org/>http://htmlpurifier.org/
> I don't know anything about it. Has anyone tried to run something like this
> on a pmwiki site?
I haven't, but if PmWiki does allow XSS, it will be fixed as soon as we know
about it. A demonstration of the XSS on the pmwiki.org website is a way to
show that the problem comes with PmWiki and not with something external to
it like the ErrorDocument 404 files.
Petko
> On Fri, Apr 19, 2013 at 5:16 PM, Petko Yotov <<URL:mailto:
> 5ko at 5ko.fr>5ko at 5ko.fr> wrote:
>
> What was the previous PmWiki version which didn't have XSS?
>
> This is very likely not something related to PmWiki 2.2.49. When a browser
> requests an URL
> likehttp://<URL:http://ella.shadlenlab.columbia.edu/undefined1>ella.shadle
> nlab.columbia.edu/undefined1<ScRiPt>prompt(933131)</ScRiPt> this request
> is very likely NOT processed by PmWiki at all.
>
> If a browser requests a URL in the pmwiki/pub directory, the request is
> NOT processed by PmWiki at all. Same for the other directories you listed
> below.
>
> You should check your ErrorDocument 404 files, which may be vulnerable.
>
> Or, it may be that some of your recipes is vulnerable, but what you posted
> doesn't look like it.
>
> Only the requests to /index.php and /pmwiki/index.php are suspicious - if
> you have such files, check their content. The one in the pmwiki/ directory
> should only include or require pmwiki.php like this:
>
> <?php include_once('pmwiki.php');
>
>
> Petko
>
>
> Maria McKinley writes:
>
> « HTML content follows »
>
> Hi there,
>
> I have upgraded PmWiki to Version 2.2.49, and have add this line to
> config.php
> <URL:<URL:http://www.pmwiki.org/wiki/PmWiki/UploadVariables#UploadBlackl
> ist>http://www.pmwiki.org/wiki/PmWiki/UploadVariables#UploadBlacklist>$U
> ploadBlacklist = array('.php', '.pl', '.cgi', '.py', '.shtm', '.phtm',
> '.pcgi', '.asp', '.jsp', '.sh');
>
>
> However, my university won't let our web server through their firewall
> because they say that the site is vulnerable to Cross Site Scripting.
> They say it affects the following directories:
>
>
>
> Affects Variation
> / 3
> /index.php 1
> /pictures 1
> /pmwiki 3
> /pmwiki/cache 1
> /pmwiki/image 1
> /pmwiki/index.php 1
> /pmwiki/pub 1
> /pmwiki/pub/css 1
> /pmwiki/pub/skins 1
> /pmwiki/pub/skins/parchment 1
> /pmwiki/uploads
>
>
> Here are the details for the first one:
>
>
>
> Details
> /
> URI was set to undefined1<ScRiPt>prompt(933131)</ScRiPt>
> The input is reflected inside a text element.
> GET /undefined1<ScRiPt>prompt(933131)</ScRiPt> HTTP/1.1
> Cookie: _setdiv20=show; _setdiv22=show; _setdiv30=show; _setdiv1=hide;
> _setdiv2=show;
> _setdiv10=show
> Host:
> <URL:<URL:http://ella.shadlenlab.columbia.edu>http://ella.shadlenlab.col
> umbia.edu><URL:http://ella.shadlenlab.columbia.edu>ella.shadlenlab.colum
> bia.edu
>
> Connection: Keep-alive
> Accept-Encoding: gzip,deflate
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
> Trident/5.0)
> Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
> Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
> Acunetix-User-agreement:
> <URL:<URL:http://www.acunetix.com/wvs/disc.htm>http://www.acunetix.com/w
> vs/disc.htm><URL:http://www.acunetix.com/wvs/disc.htm>http://www.acuneti
> x.com/wvs/disc.htm
>
> Accept: */*
> Request headers
> Details
> /
> URI was set to undefined1<ScRiPt>prompt(970217)</ScRiPt>
> The input is reflected inside a text element.
> GET /undefined1<ScRiPt>prompt(970217)</ScRiPt> HTTP/1.1
> Cookie: _setdiv20=show; _setdiv22=show; _setdiv30=show; _setdiv1=hide;
> _setdiv2=show;
> _setdiv10=show
> Host:
> <URL:<URL:http://ella.shadlenlab.columbia.edu>http://ella.shadlenlab.col
> umbia.edu><URL:http://ella.shadlenlab.columbia.edu>ella.shadlenlab.colum
> bia.edu
>
> Connection: Keep-alive
> Accept-Encoding: gzip,deflate
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
> Trident/5.0)
> Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
> Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
> Acunetix-User-agreement:
> <URL:<URL:http://www.acunetix.com/wvs/disc.htm>http://www.acunetix.com/w
> vs/disc.htm><URL:http://www.acunetix.com/wvs/disc.htm>http://www.acuneti
> x.com/wvs/disc.htm
>
> Accept: */*
>
>
> Any ideas what I can do about this? They won't let my server run until
> this is fixed. thanks,
> maria
>
> _______________________________________________
> pmwiki-users mailing list
> <URL:mailto:pmwiki-users at pmichaud.com>pmwiki-users at pmichaud.com
> <URL:http://www.pmichaud.com/mailman/listinfo/pmwiki-
> users>http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>
>
>
>
> --
> Maria Mckinley
> Programmer and System Administrator
More information about the pmwiki-users
mailing list