[pmwiki-users] Cross Site Scripting

Maria McKinley mariak at mariakathryn.net
Sat Apr 20 00:20:06 CDT 2013


I didn't mean to imply that my previous version of pmwiki didn't have this
issue. I was just mentioning the version, since I was under the impression
that the version I have now is suppose to have fixed some cross scripting
vulnerabilities. I don't know very much about this vulnerability, but now
that I look more closely at their report, it affects pretty much all of my
pmwiki site, as well as some non-pmwiki bits. It appears they want me to
install something like this:

http://htmlpurifier.org/

I don't know anything about it. Has anyone tried to run something like this
on a pmwiki site?

thanks,
maria




On Fri, Apr 19, 2013 at 5:16 PM, Petko Yotov <5ko at 5ko.fr> wrote:

> What was the previous PmWiki version which didn't have XSS?
>
> This is very likely not something related to PmWiki 2.2.49. When a browser
> requests an URL likehttp://ella.shadlenlab.**columbia.edu/undefined1<http://ella.shadlenlab.columbia.edu/undefined1>
> <**ScRiPt>prompt(933131)</ScRiPt> this request is very likely NOT
> processed by PmWiki at all.
>
> If a browser requests a URL in the pmwiki/pub directory, the request is
> NOT processed by PmWiki at all. Same for the other directories you listed
> below.
>
> You should check your ErrorDocument 404 files, which may be vulnerable.
>
> Or, it may be that some of your recipes is vulnerable, but what you posted
> doesn't look like it.
>
> Only the requests to /index.php and /pmwiki/index.php are suspicious - if
> you have such files, check their content. The one in the pmwiki/ directory
> should only include or require pmwiki.php like this:
>
>   <?php include_once('pmwiki.php');
>
>
> Petko
>
>
> Maria McKinley writes:
>
>> « HTML content follows »
>>
>> Hi there,
>>
>> I have upgraded PmWiki to Version 2.2.49, and have add this line to
>> config.php  <URL:http://www.pmwiki.org/**wiki/PmWiki/UploadVariables#**
>> UploadBlacklist<http://www.pmwiki.org/wiki/PmWiki/UploadVariables#UploadBlacklist>
>> >$**UploadBlacklist = array('.php', '.pl', '.cgi', '.py', '.shtm',
>> '.phtm', '.pcgi', '.asp', '.jsp', '.sh');
>>
>>
>> However, my university won't let our web server through their firewall
>> because they say that the site is vulnerable to Cross Site Scripting. They
>> say it affects the following directories:
>>
>>
>>
>> Affects Variation
>> / 3
>> /index.php 1
>> /pictures 1
>> /pmwiki 3
>> /pmwiki/cache 1
>> /pmwiki/image 1
>> /pmwiki/index.php 1
>> /pmwiki/pub 1
>> /pmwiki/pub/css 1
>> /pmwiki/pub/skins 1
>> /pmwiki/pub/skins/parchment 1
>> /pmwiki/uploads
>>
>>
>> Here are the details for the first one:
>>
>>
>>
>> Details
>> /
>> URI was set to undefined1<ScRiPt>prompt(**933131)</ScRiPt>
>> The input is reflected inside a text element.
>> GET /undefined1<ScRiPt>prompt(**933131)</ScRiPt> HTTP/1.1
>> Cookie: _setdiv20=show; _setdiv22=show; _setdiv30=show; _setdiv1=hide;
>> _setdiv2=show;
>> _setdiv10=show
>> Host: <URL:http://ella.shadlenlab.**columbia.edu<http://ella.shadlenlab.columbia.edu>
>> >ella.shadlenlab.**columbia.edu <http://ella.shadlenlab.columbia.edu>
>>
>> Connection: Keep-alive
>> Accept-Encoding: gzip,deflate
>> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
>> Trident/5.0)
>> Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
>> Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
>> Acunetix-User-agreement: <URL:http://www.acunetix.com/**wvs/disc.htm<http://www.acunetix.com/wvs/disc.htm>
>> >http://www.**acunetix.com/wvs/disc.htm<http://www.acunetix.com/wvs/disc.htm>
>>
>> Accept: */*
>> Request headers
>> Details
>> /
>> URI was set to undefined1<ScRiPt>prompt(**970217)</ScRiPt>
>> The input is reflected inside a text element.
>> GET /undefined1<ScRiPt>prompt(**970217)</ScRiPt> HTTP/1.1
>> Cookie: _setdiv20=show; _setdiv22=show; _setdiv30=show; _setdiv1=hide;
>> _setdiv2=show;
>> _setdiv10=show
>> Host: <URL:http://ella.shadlenlab.**columbia.edu<http://ella.shadlenlab.columbia.edu>
>> >ella.shadlenlab.**columbia.edu <http://ella.shadlenlab.columbia.edu>
>>
>> Connection: Keep-alive
>> Accept-Encoding: gzip,deflate
>> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
>> Trident/5.0)
>> Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
>> Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
>> Acunetix-User-agreement: <URL:http://www.acunetix.com/**wvs/disc.htm<http://www.acunetix.com/wvs/disc.htm>
>> >http://www.**acunetix.com/wvs/disc.htm<http://www.acunetix.com/wvs/disc.htm>
>>
>> Accept: */*
>>
>>
>> Any ideas what I can do about this? They won't let my server run until
>> this is fixed. thanks,
>> maria
>>
>
> ______________________________**_________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/**mailman/listinfo/pmwiki-users<http://www.pmichaud.com/mailman/listinfo/pmwiki-users>
>



-- 
Maria Mckinley
Programmer and System Administrator
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20130419/ac4129e3/attachment-0001.html>


More information about the pmwiki-users mailing list