CVE-2015-6729 in MediaWiki
Summary
by MITRE
Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote attackers to inject arbitrary web script or HTML via the rel404 parameter, which is not properly handled in an error page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/14/2022
The CVE-2015-6729 vulnerability represents a critical cross-site scripting flaw discovered in MediaWiki's thumb.php script, affecting multiple versions including 1.23.10, 1.24.3, and 1.25.2 releases. This vulnerability resides within the error handling mechanism of the MediaWiki platform, specifically in how the application processes the rel404 parameter during file not found scenarios. The flaw enables remote attackers to execute malicious scripts within the context of a victim's browser session, potentially leading to unauthorized actions or data theft. The vulnerability is classified under CWE-79 as an improper neutralization of input during web output, which directly impacts the application's ability to sanitize user-supplied data before rendering it in web pages.
The technical exploitation of this vulnerability occurs when an attacker crafts a malicious URL containing the rel404 parameter with embedded JavaScript code or HTML tags. When the MediaWiki system encounters a missing file scenario, it renders an error page that includes the unvalidated rel404 parameter value directly in the HTML output without proper sanitization or encoding. This creates an XSS vector where the malicious payload executes in the victim's browser context, potentially allowing attackers to steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users. The vulnerability is particularly concerning because it operates through the error handling pathway, which is often less scrutinized than core application logic and may not undergo the same input validation procedures.
The operational impact of this vulnerability extends beyond simple script execution, as it can be leveraged for more sophisticated attacks within the MediaWiki ecosystem. Attackers could potentially use this vector to escalate privileges, access restricted content, or manipulate wiki pages through session hijacking. The vulnerability affects all users interacting with the MediaWiki platform, including administrators and regular contributors, making it a significant concern for organizations relying on wiki-based collaboration systems. The attack surface is broad since any MediaWiki instance with vulnerable versions could be exploited, particularly those with public-facing wikis or those that allow user uploads and file references.
Organizations should implement immediate mitigations including upgrading to patched versions of MediaWiki, specifically versions 1.23.10, 1.24.3, and 1.25.2 where the vulnerability has been addressed. The fix typically involves proper input sanitization and output encoding of the rel404 parameter within error pages, ensuring that any user-supplied content is escaped before being rendered in HTML contexts. Additional protective measures include implementing content security policies to limit script execution, deploying web application firewalls to detect and block malicious payloads, and conducting regular security assessments of wiki environments. The vulnerability demonstrates the importance of input validation across all application pathways including error handling mechanisms, aligning with ATT&CK technique T1213 for data from information repositories and T1059 for command and scripting interpreter. Organizations should also consider implementing automated patch management systems to ensure timely deployment of security updates and maintain comprehensive monitoring of user activity for potential exploitation attempts.