FINDING ID: iSEC-WMF1214-10
TARGETS: Users custom scripts, such as http://devwiki/w/index.php?title=User:Foo/common.js&action=
submit .
DESCRIPTION: When editing any user's custom JavaScript, the script is executed whenever the ``Show
Preview'' or ``Show Changes'' buttons are clicked. This could allow an attacker to trick another user
into executing JavaScript which hijacks their session. Because privileged users can edit the JavaScript
of lower privileged users, this could lead to privilege escalation.
EXPLOIT SCENARIO: A low-privileged user adds some complex custom JavaScript to their account,
with malicious code embedded within that directs people to a fake login screen or performs actions on
the victim's behalf. The user complains to an Administrator that they are having difficulty with their
custom ``skin'', and asks the Administrator to change a small portion of the script for them. Upon pre-
viewing the edit or viewing changes, the malicious code executes in the context of the Administrator's
session.
SHORT TERM SOLUTION: Do not include another user's custom script when previewing or showing
changes. These pages should only allow users to edit and view code.
LONG TERM SOLUTION: The custom JavaScript system has several deficiencies. Consider deprecating
this functionality and allowing users to customize the site using client-side code instead