FINDING ID: iSEC-WMF1214-8
DESCRIPTION: The API supports multiple data output formats, some of which have recently been
deprecated. The wddx output format will return a response with Content-Type: text/xml . The
response always indicates that the wddx output format has been deprecated and instructs the API
user to use the json format instead. However, if an API request with this output format is sent to
api.php with an invalid parameter, the response will also include an error message that reflects the
user-supplied parameter without any output encoding. This allows an attacker to inject XML, which
can be used to trick the browser into interpreting the response as XHTML and executing injected
demonstrating a reflected XSS attack.
This exploit works on several browsers that iSEC tested and bypasses Chrome's anti-XSS filters, making
it especially effective.
Affected Versions: MediaWiki on HHVM before 3.6.1