FINDING ID: iSEC-WMF1214-7
TARGETS: The following pages:
• http://devwiki/w/index.php?title=User:Admin/common.js
• http://devwiki/w/load.php?debug=false&lang=en&modules=user&only=scripts&skin=vector&user=
Admin
• http://devwiki/wiki/User:Admin/(skinname).js
DESCRIPTION: MediaWiki allows users to upload custom JavaScript and CSS to alter the interface and
functionality of the system. This code is stored as a wiki page, and is visible to any user of the system.
EXPLOIT SCENARIO: A user uploads JavaScript containing personal information that may de-anonymize
that user. While the contents of this script are not part of the main indexed website, another user
changes the username in one of the above URLs to view the victim's custom code, learning information
that may be used to identify the owner of the custom code.
SHORT TERM SOLUTION: Treat custom script the same as other user preferences by disallowing users
from examining these customizations unless they are associated with the logged in account.
LONG TERM SOLUTION: The custom JavaScript system has several deficiencies. Consider deprecating
this functionality and allowing users to customize the site using client-side code instead.