01262: XSS vulnerability in Refcount

Summary: XSS vulnerability in Refcount
Created: 2011-07-19 20:56
Status: Closed, fixed for 2.2.28
Category: Bug
Assigned:
Priority: 3
Version: 2.2.27
OS: Win32/Apache 2.2.18 PHP 5.2.17

Description:
<Babelfish>
I have found an XSS vulnerability in refcount! The only works if it has been involved in config.php "refcount":

 {$ScriptUrl}?action=refcount&showrefs=><b>%26lt;--%20Fix%20me%20here!</b><script>alert%28String.fromCharCode%2888,83,83%29%29</script 
 https://www.pmwiki.org/wiki?action=refcount&showrefs=><b>%26lt;--%20Fix%20me%20here!</b><script>alert%28String.fromCharCode%2888,83,83%29%29</script 

This vulnerability has been available PmWiki 0.5.0.
</Babelfish>


<German>

XSS Schwachstelle in Refcount

Ich habe wieder eine XSS-Schwachstelle in Refcount gefunden! Die funktioniert logischerweise nur dann, wenn in der config.php "refcount" eingebunden ist:

Diese Schwachstelle ist seit PmWiki 0.5.0 vorhanden.
</German>
This is excellent! How do you find these vulnerabilities, do you search for them by investigating the code, or you uncover them accidentally, or someone attacks your wiki with them? --Petko July 19, 2011, at 09:31 PM

Security vulnerabilities and worms are a hobby of mine, I've written a XSS-Worm-Forum for testing such vulnerabilities. The first vulnerabilities in PmWiki I found by accident, all the others I've actually fished out in the code. e.g. Only with the look for $_GET, $_POST, $_REQUEST I usually found something! The Path:-vulnerabilities have discovered that I had played around with Data-Uris for my Uri Analyzer and the SQL-Vulnerabilities I discovered last year by mod_rewrite. Originally I wanted to not subscribe, because there is only one external expansion, but because the thing with BlogIt, I've changed her mind! My English are still problems, are reluctant to report any problems or suggestions. Michael Engelke July 20, 2011, at 11:30 AM

You are doing a great job (thanks)! If you don't want to publish the reports, you can contact the developer privately via e-mail, and let him disclose the vulnerability after a fix was released (my e-mail is 5ko [snail] 5ko [period] fr). Thanks again! --Petko July 20, 2011, at 11:53 AM