CVE-2014-9478 in MediaWiki
Summary
by MITRE
Cross-site scripting (XSS) vulnerability in the preview in the ExpandTemplates extension for MediaWiki, when $wgRawHTML is set to true, allows remote attackers to inject arbitrary web script or HTML via the wpInput parameter to the Special:ExpandTemplates page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/03/2018
The CVE-2014-9478 vulnerability represents a critical cross-site scripting flaw within the MediaWiki platform's ExpandTemplates extension, specifically targeting the preview functionality. This vulnerability arises from insufficient input validation and sanitization mechanisms that fail to properly filter user-supplied data before rendering it in web pages. The flaw becomes particularly dangerous when the MediaWiki configuration variable $wgRawHTML is explicitly enabled, creating an environment where unfiltered HTML content can be processed and displayed to users. The vulnerability specifically affects the Special:ExpandTemplates page, which serves as a tool for expanding template parameters and displaying their rendered output to users.
The technical exploitation of this vulnerability occurs through manipulation of the wpInput parameter within the Special:ExpandTemplates interface. When remote attackers submit malicious payloads through this parameter, the system processes the input without adequate sanitization, allowing attackers to inject arbitrary JavaScript code or HTML content. This injection occurs because the preview functionality treats user input as trusted content when $wgRawHTML is enabled, bypassing normal security controls that would otherwise prevent such code execution. The vulnerability demonstrates a classic XSS pattern where user-controllable input flows directly into the browser without proper context-aware escaping or filtering mechanisms.
The operational impact of CVE-2014-9478 extends beyond simple script injection, potentially enabling sophisticated attacks such as session hijacking, credential theft, and malicious content distribution. Attackers can craft payloads that exploit the preview functionality to deliver malware or phishing content to unsuspecting users who view the affected pages. The vulnerability is particularly concerning in environments where MediaWiki serves as a collaborative platform with multiple users, as a single compromised template could affect numerous visitors. Additionally, the presence of $wgRawHTML in the configuration creates a dangerous combination where legitimate administrative functionality becomes a vector for malicious exploitation, as the system's trust model is undermined when raw HTML processing is enabled.
Security mitigations for this vulnerability should focus on implementing comprehensive input validation and sanitization controls within the ExpandTemplates extension. The most effective approach involves disabling $wgRawHTML by default or implementing strict content security policies that prevent execution of untrusted scripts even when raw HTML processing is enabled. Organizations should also deploy proper parameter validation mechanisms that filter or escape user input before processing, utilizing established XSS prevention techniques such as context-aware output encoding. The implementation of Content Security Policy headers and regular security audits of MediaWiki extensions can help prevent similar vulnerabilities from emerging in the future. This vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws, and represents a typical ATT&CK technique for initial access through web application exploitation, highlighting the importance of robust input validation and secure coding practices in web applications.