FINDING ID: iSEC-WMF1214-10
TARGETS: Users custom scripts, such as http://devwiki/w/index.php?title=User:Foo/common.js&action=
Preview'' or ``Show Changes'' buttons are clicked. This could allow an attacker to trick another user
of lower privileged users, this could lead to privilege escalation.
with malicious code embedded within that directs people to a fake login screen or performs actions on
the victim's behalf. The user complains to an Administrator that they are having difficulty with their
custom ``skin'', and asks the Administrator to change a small portion of the script for them. Upon pre-
viewing the edit or viewing changes, the malicious code executes in the context of the Administrator's
SHORT TERM SOLUTION: Do not include another user's custom script when previewing or showing
changes. These pages should only allow users to edit and view code.
this functionality and allowing users to customize the site using client-side code instead