Topic on Project:Support desk

Patches for Cross Scripting vulnerability

3 comments • 15:23, 28 May 2018 5 years ago

3

We are in the process of hosting a small community site and part of vulnerability scans, found these issues as below. Do you have any patches that I can run to avoid getting into issues of session cookie theft and other issues?

8 instances of this issue were identified, at the following locations:

/load.php [modules parameter]
/api.php [action parameter]
/api.php [formatversion parameter]
/api.php [iiprop parameter]
/api.php [meta parameter]
/api.php [name of an arbitrarily supplied URL parameter]
/api.php [prop parameter]
/api.php [titles parameter]

Reply 18:26, 23 May 2018 5 years ago

Malyacko (talkcontribs)

What **exactly** makes you think that there is some "Cross Scripting Vulnerability" somewhere? What is "Cross scripting"? If you meant "Cross-site scripting" (see https://en.wikipedia.org/wiki/Cross-site_scripting), have you found a specific testcase that you have tested yourself and could actively abuse? If that is the case, please see Reporting security bugs and include MediaWiki version information.

If this is just about the general API (which is not a vulnerability at all in itself), you can disable the API.

Reply 13:03, 26 May 2018 5 years ago

Bawolff (talkcontribs)

Some automated scanners are of poor quality and have false positives on the api. Usually you can ignore these unless you can actually reproduce the issue.

Reply Edited 15:23, 28 May 2018 5 years ago

Reply to "Patches for Cross Scripting vulnerability"