FINDING ID: iSEC-WMF1214-8
DESCRIPTION: The API supports multiple data output formats, some of which have recently been
deprecated. The wddx output format will return a response with Content-Type: text/xml . The
response always indicates that the wddx output format has been deprecated and instructs the API
user to use the json format instead. However, if an API request with this output format is sent to
api.php with an invalid parameter, the response will also include an error message that reflects the
user-supplied parameter without any output encoding. This allows an attacker to inject XML, which
can be used to trick the browser into interpreting the response as XHTML and executing injected
JavaScript. To exploit this vulnerability, an attacker can craft a simple URL that, when clicked by
a MediaWiki user, will execute arbitrary JavaScript in their browser session for that domain. The
following URL will execute JavaScript that pops up an alert window on the resulting MediaWiki page,
demonstrating a reflected XSS attack.
http://devwiki/w/api.php?action=flow&format=wddx&submodule=invalid%3C/string%3E%3Cfoo%3E%0A%3Chtml%20xmlns%3ahtml%3d%27http%3a%2f%2fwww.w3.org%2f1999%2fxhtml%27%3E%0A%20%3Chtml%3ascript%3Ealert(%22Reflected%20XSS!%22)%3b%3C%2fhtml%3ascript%3E%0A%3C%2fhtml%3E%0A%3C%2ffoo%3E%3Cstring%3E&page=User_talk%3AAdmin&ntreplyTo=&nttopic=Flow&ntcontent=flowwwww&token=3b44a9711080c52414b4d1f05682590554a1ead0%2B
This exploit works on several browsers that iSEC tested and bypasses Chrome's anti-XSS filters, making
it especially effective.