Hi,
I am using Mediawiki version 1.33.0 with Visual Editor installed (hosted on CentOS 7). When i use some scanning tools to scan my site, the following issue pops out. May I ask if there is any way to handle it? Thank you!
CGI abuses: CGI Generic Unseen Parameters Discovery TCP 80
Plugin Output:
Using the GET HTTP method, Nessus found that :
+ The following resources may be vulnerable to unseen parameters :
+ The 'debug' parameter of the /mw/load.php CGI :
/mw/load.php?lang=en&modules=ext.visualEditor.desktopArticleTarget.noscr
ipt%257Cmediawiki.legacy.commonPrint%252Cshared%257Cmediawiki.skinning.i
nterface%257Cskins.vector.styles&only=styles&skin=vector&debug=1
-------- output --------
/*
Problematic modules: {"ext.visualEditor.desktopArticleTarget.noscript%7C
mediawiki.legacy.commonPrint%2Cshared%7Cmediawiki.skinning.interface%7Cs
kins.vector.styles":"missing"}
*/
-------- vs --------
/*
Problematic modules: {
"ext.visualEditor.desktopArticleTarget.noscript%7Cmediawiki.le [...]
}
------------------------
Synopsis:
A CGI application hosted on the remote web server is potentially prone to information disclosure or privilege escalation.
Description:
By sending requests with additional parameters such as 'admin', 'debug', or 'test' to CGI scripts hosted on the remote web server, Nessus was able to generate at least one significantly different response even though the parameters themselves do not actually appear in responses.
This behavior suggests that such a parameter, while unseen, are used by the affected application(s) and may enable an attacker to bypass authentication, read confidential data (like the source of the scripts), modify the behavior of the application(s) or conduct similar attacks to gain privileges.
Note that this script is experimental and may be prone to false positives.
Solution:
Inspect the reported CGIs and, if necessary, modify them so that security is not based on obscurity.