Facing an issue where-in there is cross-site scripting validation possible, with a malicious XSS Regex placed, the load.php file, goes ahead and parses the same. Faced this issue while security testing of MediaWiki instance.
MediaWiki: 1.18.2 PHP: 5.3 DB: PostgreSql: 9.2
Please find the screenshot as below:
For policy and network restriction reasons cannot share the Wiki itself as not yet secured permission for hosting the same on internet by the client.
Hello!
Just a notice: 1.18 seems really old to me and is not supported anymore :) See https://www.mediawiki.org/wiki/Download
Please update to a current version, preferably to MediaWiki 1.23 and check, if the problem is still present there. If it still is, please do not disclose further information on it to the public - also not on this very page. Instead, please follow the procedure described on Security! In short: Send an e-mail to security@wikimedia.org.
