[pmwiki-users] Cross Site Scripting
Petko Yotov
5ko at 5ko.fr
Fri Apr 19 19:16:29 CDT 2013
What was the previous PmWiki version which didn't have XSS?
This is very likely not something related to PmWiki 2.2.49. When a browser
requests an URL like
http://ella.shadlenlab.columbia.edu/undefined1<ScRiPt>prompt(933131)</ScRiPt>
this request is very likely NOT processed by PmWiki at all.
If a browser requests a URL in the pmwiki/pub directory, the request is NOT
processed by PmWiki at all. Same for the other directories you listed below.
You should check your ErrorDocument 404 files, which may be vulnerable.
Or, it may be that some of your recipes is vulnerable, but what you posted
doesn't look like it.
Only the requests to /index.php and /pmwiki/index.php are suspicious - if
you have such files, check their content. The one in the pmwiki/ directory
should only include or require pmwiki.php like this:
<?php include_once('pmwiki.php');
Petko
Maria McKinley writes:
> « HTML content follows »
>
> Hi there,
>
> I have upgraded PmWiki to Version 2.2.49, and have add this line to
> config.php
> <URL:http://www.pmwiki.org/wiki/PmWiki/UploadVariables#UploadBlacklist>$Uploa
> dBlacklist = array('.php', '.pl', '.cgi', '.py', '.shtm', '.phtm', '.pcgi',
> '.asp', '.jsp', '.sh');
>
> However, my university won't let our web server through their firewall
> because they say that the site is vulnerable to Cross Site Scripting. They
> say it affects the following directories:
>
>
>
> Affects Variation
> / 3
> /index.php 1
> /pictures 1
> /pmwiki 3
> /pmwiki/cache 1
> /pmwiki/image 1
> /pmwiki/index.php 1
> /pmwiki/pub 1
> /pmwiki/pub/css 1
> /pmwiki/pub/skins 1
> /pmwiki/pub/skins/parchment 1
> /pmwiki/uploads
>
>
> Here are the details for the first one:
>
>
>
> Details
> /
> URI was set to undefined1<ScRiPt>prompt(933131)</ScRiPt>
> The input is reflected inside a text element.
> GET /undefined1<ScRiPt>prompt(933131)</ScRiPt> HTTP/1.1
> Cookie: _setdiv20=show; _setdiv22=show; _setdiv30=show; _setdiv1=hide;
> _setdiv2=show;
> _setdiv10=show
> Host: <URL:http://ella.shadlenlab.columbia.edu>ella.shadlenlab.columbia.edu
> Connection: Keep-alive
> Accept-Encoding: gzip,deflate
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
> Trident/5.0)
> Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
> Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
> Acunetix-User-agreement:
> <URL:http://www.acunetix.com/wvs/disc.htm>http://www.acunetix.com/wvs/disc.htm
> Accept: */*
> Request headers
> Details
> /
> URI was set to undefined1<ScRiPt>prompt(970217)</ScRiPt>
> The input is reflected inside a text element.
> GET /undefined1<ScRiPt>prompt(970217)</ScRiPt> HTTP/1.1
> Cookie: _setdiv20=show; _setdiv22=show; _setdiv30=show; _setdiv1=hide;
> _setdiv2=show;
> _setdiv10=show
> Host: <URL:http://ella.shadlenlab.columbia.edu>ella.shadlenlab.columbia.edu
> Connection: Keep-alive
> Accept-Encoding: gzip,deflate
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
> Trident/5.0)
> Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
> Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
> Acunetix-User-agreement:
> <URL:http://www.acunetix.com/wvs/disc.htm>http://www.acunetix.com/wvs/disc.htm
> Accept: */*
>
>
> Any ideas what I can do about this? They won't let my server run until this
> is fixed. thanks,
> maria
More information about the pmwiki-users
mailing list