[pmwiki-users] Cross Site Scripting

Petko Yotov 5ko at 5ko.fr
Sat Apr 20 02:10:52 CDT 2013


Maria McKinley writes:
> I was under the impression  
> that the version I have now is suppose to have fixed some cross scripting  
> vulnerabilities.

Yes, it is supposed to have fixed all vulnerabilities that were demonstrated  
to me. And in most cases they were fixed in a new version the day when I  
knew about them (in the few other cases, the next day).

> I don't know very much about this vulnerability, but now  
> that I look more closely at their report, it affects pretty much all of my  
> pmwiki site, as well as some non-pmwiki bits.

This is why I suggested to look at your ErrorDocument 404 file. If you have  
such a file which is executed when a browser requests a document which  
doesn't exist, it is possible that that file tells the visitor:

  Sorry, the file you requested "<?php echo $_SERVER['REQUEST_URI']; ?>"
  was not found

and this will allow XSS injections if the variable is not correctly  
sanitized.

> It appears they want me to  
> install something like this:
> <URL:http://htmlpurifier.org/>http://htmlpurifier.org/
> I don't know anything about it. Has anyone tried to run something like this  
> on a pmwiki site? 

I haven't, but if PmWiki does allow XSS, it will be fixed as soon as we know  
about it. A demonstration of the XSS on the pmwiki.org website is a way to  
show that the problem comes with PmWiki and not with something external to  
it like the ErrorDocument 404 files.

Petko

> On Fri, Apr 19, 2013 at 5:16 PM, Petko Yotov <<URL:mailto: 
> 5ko at 5ko.fr>5ko at 5ko.fr> wrote:
>
>    What was the previous PmWiki version which didn't have XSS?
>
>    This is very likely not something related to PmWiki 2.2.49. When a browser  
>    requests an URL  
>    likehttp://<URL:http://ella.shadlenlab.columbia.edu/undefined1>ella.shadle 
>    nlab.columbia.edu/undefined1<ScRiPt>prompt(933131)</ScRiPt> this request  
>    is very likely NOT processed by PmWiki at all.
>
>    If a browser requests a URL in the pmwiki/pub directory, the request is  
>    NOT processed by PmWiki at all. Same for the other directories you listed  
>    below.
>
>    You should check your ErrorDocument 404 files, which may be vulnerable.
>
>    Or, it may be that some of your recipes is vulnerable, but what you posted  
>    doesn't look like it.
>
>    Only the requests to /index.php and /pmwiki/index.php are suspicious - if  
>    you have such files, check their content. The one in the pmwiki/ directory  
>    should only include or require pmwiki.php like this:
>
>      <?php include_once('pmwiki.php');
>
>
>    Petko
>
>
>    Maria McKinley writes:
>
>      « HTML content follows »
>
>      Hi there,
>
>      I have upgraded PmWiki to Version 2.2.49, and have add this line to  
>      config.php   
>      <URL:<URL:http://www.pmwiki.org/wiki/PmWiki/UploadVariables#UploadBlackl 
>      ist>http://www.pmwiki.org/wiki/PmWiki/UploadVariables#UploadBlacklist>$U 
>      ploadBlacklist = array('.php', '.pl', '.cgi', '.py', '.shtm', '.phtm',  
>      '.pcgi', '.asp', '.jsp', '.sh');
>
>
>      However, my university won't let our web server through their firewall  
>      because they say that the site is vulnerable to Cross Site Scripting.  
>      They say it affects the following directories:
>
>
>
>      Affects Variation
>      / 3
>      /index.php 1
>      /pictures 1
>      /pmwiki 3
>      /pmwiki/cache 1
>      /pmwiki/image 1
>      /pmwiki/index.php 1
>      /pmwiki/pub 1
>      /pmwiki/pub/css 1
>      /pmwiki/pub/skins 1
>      /pmwiki/pub/skins/parchment 1
>      /pmwiki/uploads
>
>
>      Here are the details for the first one:
>
>
>
>      Details
>      /
>      URI was set to undefined1<ScRiPt>prompt(933131)</ScRiPt>
>      The input is reflected inside a text element.
>      GET /undefined1<ScRiPt>prompt(933131)</ScRiPt> HTTP/1.1
>      Cookie: _setdiv20=show; _setdiv22=show; _setdiv30=show; _setdiv1=hide;  
>      _setdiv2=show;
>      _setdiv10=show
>      Host:  
>      <URL:<URL:http://ella.shadlenlab.columbia.edu>http://ella.shadlenlab.col 
>      umbia.edu><URL:http://ella.shadlenlab.columbia.edu>ella.shadlenlab.colum 
>      bia.edu
>
>      Connection: Keep-alive
>      Accept-Encoding: gzip,deflate
>      User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;  
>      Trident/5.0)
>      Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
>      Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
>      Acunetix-User-agreement:  
>      <URL:<URL:http://www.acunetix.com/wvs/disc.htm>http://www.acunetix.com/w 
>      vs/disc.htm><URL:http://www.acunetix.com/wvs/disc.htm>http://www.acuneti 
>      x.com/wvs/disc.htm
>
>      Accept: */*
>      Request headers
>      Details
>      /
>      URI was set to undefined1<ScRiPt>prompt(970217)</ScRiPt>
>      The input is reflected inside a text element.
>      GET /undefined1<ScRiPt>prompt(970217)</ScRiPt> HTTP/1.1
>      Cookie: _setdiv20=show; _setdiv22=show; _setdiv30=show; _setdiv1=hide;  
>      _setdiv2=show;
>      _setdiv10=show
>      Host:  
>      <URL:<URL:http://ella.shadlenlab.columbia.edu>http://ella.shadlenlab.col 
>      umbia.edu><URL:http://ella.shadlenlab.columbia.edu>ella.shadlenlab.colum 
>      bia.edu
>
>      Connection: Keep-alive
>      Accept-Encoding: gzip,deflate
>      User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;  
>      Trident/5.0)
>      Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
>      Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
>      Acunetix-User-agreement:  
>      <URL:<URL:http://www.acunetix.com/wvs/disc.htm>http://www.acunetix.com/w 
>      vs/disc.htm><URL:http://www.acunetix.com/wvs/disc.htm>http://www.acuneti 
>      x.com/wvs/disc.htm
>
>      Accept: */*
>
>
>      Any ideas what I can do about this? They won't let my server run until  
>      this is fixed. thanks,
>      maria
>
>    _______________________________________________
>    pmwiki-users mailing list
>    <URL:mailto:pmwiki-users at pmichaud.com>pmwiki-users at pmichaud.com
>    <URL:http://www.pmichaud.com/mailman/listinfo/pmwiki- 
>    users>http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>
>
>
>
> --
> Maria Mckinley
> Programmer and System Administrator



More information about the pmwiki-users mailing list