Hi,

On Sat, 2009-05-02 at 12:40 +1000, Steffen Joeris wrote:
> 
> CVE-2009-1482[0]:
> | Multiple cross-site scripting (XSS) vulnerabilities in
> | action/AttachFile.py in MoinMoin 1.8.2 and earlier allow remote
> | attackers to inject arbitrary web script or HTML via (1) an AttachFile
> | sub-action in the error_msg function or (2) multiple vectors related
> | to package file errors in the upload_form function, different vectors
> | than CVE-2009-0260.
> 
> Please have a look at upstream's announcement[1]. Upstream's patch is
> here[2]. While I agree that it is a good idea to move the escaping to
> a more centralised place, I don't see yet, where it would be
> exploitable. There is escaping in several places, so before we worry
> too much about this, I'd like to see a successful XSS exploit.

I could exploit this vulnerability by injecting arbitrary html, onmouseover...

> It might also be worth to include this patch[3] as well, although I
> don't think it is exploitable.

As I explained in my private mail, this can be exploited too. So I have
included it, as suggested.

I have made a patch, (against the lenny branch in git), that merely
contains upstream's patches (I prefer to stick to upstream's patch, so
later patch are more likely to apply).

Regards

Franklin
diff --git a/debian/changelog b/debian/changelog
index 38c2799..bda4166 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+moin (1.7.1-3+lenny2) testing-security; urgency=high
+
+  [ Frank Lin PIAT ]
+  * Fix cross-site scripting vulnerability in action/AttachFile.py
+    (Closes: #526594), Thanks to Steffen Joeris.
+    Fixes: CVE-2009-1482
+  * Add mode escaping to AttachFile move (maybe not XSS exploitable
+    though)
+
+ -- Jonas Smedegaard <d...@jones.dk>  Sat, 02 May 2009 13:35:08 +0200
+
 moin (1.7.1-3+lenny1) testing-security; urgency=high
 
   * Non-maintainer upload by the security team
diff --git a/debian/patches/00003_CVE-2009-1482.patch b/debian/patches/00003_CVE-2009-1482.patch
new file mode 100644
index 0000000..979b24f
--- /dev/null
+++ b/debian/patches/00003_CVE-2009-1482.patch
@@ -0,0 +1,56 @@
+--- a/MoinMoin/action/AttachFile.py	Mon Apr 13 14:09:57 2009 +0200
++++ b/MoinMoin/action/AttachFile.py	Sat Apr 18 18:58:25 2009 +0200
+@@ -387,6 +387,7 @@
+ 
+ 
+ def error_msg(pagename, request, msg):
++    msg = wikiutil.escape(msg)
+     request.theme.add_msg(msg, "error")
+     Page(request, pagename).send_page()
+ 
+@@ -512,7 +513,7 @@
+     if handler:
+         msg = handler(pagename, request)
+     else:
+-        msg = _('Unsupported AttachFile sub-action: %s') % (wikiutil.escape(do[0]), )
++        msg = _('Unsupported AttachFile sub-action: %s') % do[0]
+     if msg:
+         error_msg(pagename, request, msg)
+ 
+@@ -522,6 +523,8 @@
+ 
+ 
+ def upload_form(pagename, request, msg=''):
++    if msg:
++        msg = wikiutil.escape(msg)
+     _ = request.getText
+ 
+     request.emit_http_headers()
+@@ -838,13 +841,13 @@
+ 
+     if package.isPackage():
+         if package.installPackage():
+-            msg = _("Attachment '%(filename)s' installed.") % {'filename': wikiutil.escape(target)}
++            msg = _("Attachment '%(filename)s' installed.") % {'filename': target}
+         else:
+-            msg = _("Installation of '%(filename)s' failed.") % {'filename': wikiutil.escape(target)}
++            msg = _("Installation of '%(filename)s' failed.") % {'filename': target}
+         if package.msg:
+-            msg += "<br><pre>%s</pre>" % wikiutil.escape(package.msg)
++            msg += " " + package.msg
+     else:
+-        msg = _('The file %s is not a MoinMoin package file.') % wikiutil.escape(target)
++        msg = _('The file %s is not a MoinMoin package file.') % target
+ 
+     upload_form(pagename, request, msg=msg)
+ 
+@@ -948,7 +951,7 @@
+         logging.exception("An exception within zip file attachment handling occurred:")
+         msg = _("A severe error occurred:") + ' ' + str(err)
+ 
+-    upload_form(pagename, request, msg=wikiutil.escape(msg))
++    upload_form(pagename, request, msg=msg)
+ 
+ 
+ def send_viewfile(pagename, request):
+
diff --git a/debian/patches/00004_CVE-2009-1482-extra.patch b/debian/patches/00004_CVE-2009-1482-extra.patch
new file mode 100644
index 0000000..4f9850d
--- /dev/null
+++ b/debian/patches/00004_CVE-2009-1482-extra.patch
@@ -0,0 +1,14 @@
+--- a/MoinMoin/action/AttachFile.py	Sat Apr 18 18:58:25 2009 +0200
++++ b/MoinMoin/action/AttachFile.py	Sat Apr 18 19:09:16 2009 +0200
+@@ -749,9 +749,9 @@
+          'baseurl': request.getScriptname(),
+          'do': 'attachment_move',
+          'ticket': wikiutil.createTicket(request),
+-         'pagename': pagename,
++         'pagename': wikiutil.escape(pagename, 1),
+          'pagename_quoted': wikiutil.quoteWikinameURL(pagename),
+-         'attachment_name': filename,
++         'attachment_name': wikiutil.escape(filename, 1),
+          'move': _('Move'),
+          'cancel': _('Cancel'),
+          'newname_label': _("New page name"),
diff --git a/debian/patches/series b/debian/patches/series
index e2fccb2..9f502c2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,5 @@
 20002_hardcode_configdir.patch
 00001_CVE-2009-0260-XSS.patch
 00002_CVE-2009-0312-XSS-antispam.patch
+00003_CVE-2009-1482.patch
+00004_CVE-2009-1482-extra.patch
-- 
1.5.6.5

Reply via email to