MW Version: 1.32.1
Using the GET HTTP method, Nessus found that : + The following resources may be vulnerable to blind SQL injection : + The 'skin' parameter of the /load.php CGI : /load.php?debug=false&only=styles&modules=mediawiki.legacy.commonPrint%2 52Cshared%257Cmediawiki.skinning.interface%257Cskins.vector.styles&lang= en&skin=vector+or+1=1 -------- output -------- HTTP/1.1 200 OK -------- vs -------- HTTP/1.1 404 Not Found ------------------------ + The 'modules' parameter of the /api.php CGI : /api.php?recursivesubmodules=1&action=rsd&modules=rsd+or+1=1 -------- output -------- HTTP/1.1 200 OK -------- vs -------- HTTP/1.1 404 Not Found ------------------------
• Discovery o First Discovered: Today o Last Observed: Today • Host Information o IP Address: [redacted] ( 443 / TCP ) o DNS: [redacted] o NetBIOS: [redacted] o Repository: Individual Scan • Risk Information o Risk Factor: High o CVSS v2 Base Score: 7.5 o CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P • Exploit Information o Exploit Available: No • Plugin Details o Plugin ID: 42424 o Published: Nov 6, 2009 o Last Modified: Nov 15, 2018 o Family: CGI abuses o Version: 1.34 o Type: remote • Reference Information o CWE: CWE-20 CWE-722 CWE-751 CWE-801 CWE-89 CWE-77 CWE-713 CWE-727 CWE-203 CWE-810 CWE-643 CWE-91 CWE-928 CWE-929
-Eric