I got an email a few days ago from Moshe Ben-Abu talking about an XSS using UTF-7 in MediaWiki (version 1.9.2 LATEST). The advisory is available here. Here is his email:

A Cross-site scripting vulnerability has been found in MediaWiki 1.9.2 (latest version) in the experimental AJAX feature. Actually it’s the same one that they fixed on 9/1/07 (http://www.mediawiki.org/wiki/News) but UTF-7 encoded.

After doing some testing I was coming up empty handed - I couldn’t repeat it. Well it turns out it only works if Firefox is set up to view UTF-7 by default (which it next to never will be) and IE7.0 ignores it by outputting it’s default 400 page. So this would appear to work only in IE6.0 (which is not particularly useful). However, there’s an old trick in IE where you can force the output to show and get rid of that pesky default message. You just need to put in enough data. Here’s a demo that should work in IE7.0:

http://www.mediawiki.org/wiki/index.php?action=ajax&rs=%2B%41%44%77%2D%53%43%52%49%50%54%2B%41%44%34%2D%61%6C%65%72%74%28%27%58%53%53%27%29%3B%2B%41%44%77%2D%2F%53%43%52%49%50%54%2B%41%44%34%2Dasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfsdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfsdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfsdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfsdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdf

So, yes, anyone using IE7.0 viewing MediaWiki is now vulnerable to the UTF-7 injection. This is a tricky one to solve, but could most easily be fixed by setting the charset to something rather than leaving it blank. Nice find, Moshe!

This entry was posted on Tuesday, February 20th, 2007 at 9:31 am and is filed under XSS, Webappsec. You can leave a response as well.