CVE-2009-0737

Vulnerability

Multiple cross-site scripting (XSS) vulnerabilities exist in the web-based installer (config/index.php) of MediaWiki. These affect versions 1.6 before 1.6.12, 1.12 before 1.12.4, and 1.13 before 1.13.4. The vulnerabilities are only exploitable when the installer is in active use (i.e., it has not been deactivated after installation). The exact vectors are not specified but allow injection of arbitrary web script or HTML [1].

Exploitation

An attacker requires network access to the installer page. No authentication is needed because the installer is typically publicly accessible during setup. The attack can be performed by tricking an administrator into visiting a crafted URL or submitting malicious input while the installer is active. Because the installer may reside on the same domain as an active MediaWiki site, cross-site scripting can be used to attack any web service in the same cookie domain [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the installer page. This can lead to session hijacking, defacement, or theft of sensitive data. If the targeted domain hosts an active wiki, the attacker could potentially compromise administrative sessions, gaining unauthorized access and control over the wiki [1].

Mitigation

Fixed versions were released on February 7, 2009: upgrade to MediaWiki 1.6.12, 1.12.4, or 1.13.4 [1]. If upgrading is not possible, remove or protect the config/ directory after installation, or ensure the installer is never exposed to untrusted networks. The MediaWiki team also advises removing any old, uninstalled copies from the web server to eliminate the attack surface [1].