Hi, On Sat, 2009-05-02 at 12:40 +1000, Steffen Joeris wrote: > > CVE-2009-1482[0]: > | Multiple cross-site scripting (XSS) vulnerabilities in > | action/AttachFile.py in MoinMoin 1.8.2 and earlier allow remote > | attackers to inject arbitrary web script or HTML via (1) an AttachFile > | sub-action in the error_msg function or (2) multiple vectors related > | to package file errors in the upload_form function, different vectors > | than CVE-2009-0260. > > Please have a look at upstream's announcement[1]. Upstream's patch is > here[2]. While I agree that it is a good idea to move the escaping to > a more centralised place, I don't see yet, where it would be > exploitable. There is escaping in several places, so before we worry > too much about this, I'd like to see a successful XSS exploit.
I could exploit this vulnerability by injecting arbitrary html, onmouseover... > It might also be worth to include this patch[3] as well, although I > don't think it is exploitable. As I explained in my private mail, this can be exploited too. So I have included it, as suggested. I have made a patch, (against the lenny branch in git), that merely contains upstream's patches (I prefer to stick to upstream's patch, so later patch are more likely to apply). Regards Franklin
diff --git a/debian/changelog b/debian/changelog index 38c2799..bda4166 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +moin (1.7.1-3+lenny2) testing-security; urgency=high + + [ Frank Lin PIAT ] + * Fix cross-site scripting vulnerability in action/AttachFile.py + (Closes: #526594), Thanks to Steffen Joeris. + Fixes: CVE-2009-1482 + * Add mode escaping to AttachFile move (maybe not XSS exploitable + though) + + -- Jonas Smedegaard <d...@jones.dk> Sat, 02 May 2009 13:35:08 +0200 + moin (1.7.1-3+lenny1) testing-security; urgency=high * Non-maintainer upload by the security team diff --git a/debian/patches/00003_CVE-2009-1482.patch b/debian/patches/00003_CVE-2009-1482.patch new file mode 100644 index 0000000..979b24f --- /dev/null +++ b/debian/patches/00003_CVE-2009-1482.patch @@ -0,0 +1,56 @@ +--- a/MoinMoin/action/AttachFile.py Mon Apr 13 14:09:57 2009 +0200 ++++ b/MoinMoin/action/AttachFile.py Sat Apr 18 18:58:25 2009 +0200 +@@ -387,6 +387,7 @@ + + + def error_msg(pagename, request, msg): ++ msg = wikiutil.escape(msg) + request.theme.add_msg(msg, "error") + Page(request, pagename).send_page() + +@@ -512,7 +513,7 @@ + if handler: + msg = handler(pagename, request) + else: +- msg = _('Unsupported AttachFile sub-action: %s') % (wikiutil.escape(do[0]), ) ++ msg = _('Unsupported AttachFile sub-action: %s') % do[0] + if msg: + error_msg(pagename, request, msg) + +@@ -522,6 +523,8 @@ + + + def upload_form(pagename, request, msg=''): ++ if msg: ++ msg = wikiutil.escape(msg) + _ = request.getText + + request.emit_http_headers() +@@ -838,13 +841,13 @@ + + if package.isPackage(): + if package.installPackage(): +- msg = _("Attachment '%(filename)s' installed.") % {'filename': wikiutil.escape(target)} ++ msg = _("Attachment '%(filename)s' installed.") % {'filename': target} + else: +- msg = _("Installation of '%(filename)s' failed.") % {'filename': wikiutil.escape(target)} ++ msg = _("Installation of '%(filename)s' failed.") % {'filename': target} + if package.msg: +- msg += "<br><pre>%s</pre>" % wikiutil.escape(package.msg) ++ msg += " " + package.msg + else: +- msg = _('The file %s is not a MoinMoin package file.') % wikiutil.escape(target) ++ msg = _('The file %s is not a MoinMoin package file.') % target + + upload_form(pagename, request, msg=msg) + +@@ -948,7 +951,7 @@ + logging.exception("An exception within zip file attachment handling occurred:") + msg = _("A severe error occurred:") + ' ' + str(err) + +- upload_form(pagename, request, msg=wikiutil.escape(msg)) ++ upload_form(pagename, request, msg=msg) + + + def send_viewfile(pagename, request): + diff --git a/debian/patches/00004_CVE-2009-1482-extra.patch b/debian/patches/00004_CVE-2009-1482-extra.patch new file mode 100644 index 0000000..4f9850d --- /dev/null +++ b/debian/patches/00004_CVE-2009-1482-extra.patch @@ -0,0 +1,14 @@ +--- a/MoinMoin/action/AttachFile.py Sat Apr 18 18:58:25 2009 +0200 ++++ b/MoinMoin/action/AttachFile.py Sat Apr 18 19:09:16 2009 +0200 +@@ -749,9 +749,9 @@ + 'baseurl': request.getScriptname(), + 'do': 'attachment_move', + 'ticket': wikiutil.createTicket(request), +- 'pagename': pagename, ++ 'pagename': wikiutil.escape(pagename, 1), + 'pagename_quoted': wikiutil.quoteWikinameURL(pagename), +- 'attachment_name': filename, ++ 'attachment_name': wikiutil.escape(filename, 1), + 'move': _('Move'), + 'cancel': _('Cancel'), + 'newname_label': _("New page name"), diff --git a/debian/patches/series b/debian/patches/series index e2fccb2..9f502c2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,5 @@ 20002_hardcode_configdir.patch 00001_CVE-2009-0260-XSS.patch 00002_CVE-2009-0312-XSS-antispam.patch +00003_CVE-2009-1482.patch +00004_CVE-2009-1482-extra.patch -- 1.5.6.5