CVE-2008-4408

Vulnerability

A cross-site scripting (XSS) vulnerability exists in MediaWiki versions 1.13.1, 1.12.0, and possibly other versions before 1.13.2 when the configuration option $wgUseSiteCss is enabled (which is the default) [1][2][3]. The bug allows remote attackers to inject arbitrary web script or HTML via the useskin parameter to an unspecified component [1]. Versions 1.11 and earlier are not vulnerable, and the development branch after July 28, 2008 is also not affected [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing a useskin parameter with embedded JavaScript or HTML, and then enticing a victim user to visit that URL. No prior authentication or special network position is required; the attack only requires the victim to click a crafted link, and the vulnerable MediaWiki instance must have $wgUseSiteCss enabled [1].

Impact

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript into the victim's browser within the context of the vulnerable MediaWiki site. This can lead to session theft, account compromise, or other actions that the victim user can perform on the wiki, without requiring any additional privileges [1].

Mitigation

The vulnerability is fixed in MediaWiki versions 1.13.2 and 1.12.1, which were released on October 2, 2008 [1][2][3]. Administrators should upgrade to these patched versions immediately. As a workaround, disabling $wgUseSiteCss in LocalSettings.php will prevent exploitation, although this may affect site styling. Versions prior to 1.12 are not affected and do not require action [1].