Florian Weimer skrev:
> Package: python-moinmoin
> Version: 1.5.7-2
> Tags: security
> Severity: grave
>
> Proof of concept:
>
> http://moinmoin.wikiwikiweb.de/WikiSandBox?action=AttachFile&do=%3Cblink%3ETest%3C/blink%3E
>
> This is CVE-2007-2423. Please mention this name in the changelog when
> you fix this bug.
Thanks for the report.
A fixed package has been uploaded to unstable with urgency=high.
For the security team:
Unfortunately I do not have access to an etch machine (with development
tools installed and not contaminated by non-Debian stuff).
Attached is the upstream fix adjusted to moin-1.5.3 in stable (patch
00829..). Simply adding the patch to debian/patches and rebuilding
should work.
I have not tested if the patch works, but upstream has, and the
adjustments were minor so I doubt bugs could have crept in. I also have
not checked if the bug is also in the much older version in oldstable.
Attached is also a couple of other security-related patches (00821.. and
00825..) that I am uncertain if is relevant to include as well.
Kind regards,
- Jonas
--
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
- Enden er nær: http://www.shibumi.org/eoti.htm
# HG changeset patch
# User Thomas Waldmann <tw AT waldmann-edv DOT de>
# Date 1178406230 -7200
# Node ID 288694f8dfde086358ca18f107cfb48cced03558
# Parent fe2e3e78c269f5f0024491fb9b6041970f4e7a1a
XSS fix for AttachFile 'do' parameter
(ajdusted for use with 1.5.3)
--- moin-1.5.3.orig/MoinMoin/action/AttachFile.py 2006-04-05 20:58:07.000000000 +0200
+++ moin-1.5.3/MoinMoin/action/AttachFile.py 2007-05-06 17:25:34.000000000 +0200
@@ -443,6 +443,9 @@
_ = request.getText
msg = None
+ do = request.form.get('do')
+ if do is not None:
+ do = do[0]
if action_name in request.cfg.actions_excluded:
msg = _('File attachments are not allowed in this wiki!')
elif request.form.has_key('filepath'):
@@ -452,9 +455,9 @@
request.write("OK")
else:
msg = _('You are not allowed to save a drawing on this page.')
- elif not request.form.has_key('do'):
+ elif do is None:
upload_form(pagename, request)
- elif request.form['do'][0] == 'upload':
+ elif do == 'upload':
if request.user.may.write(pagename):
if request.form.has_key('file'):
do_upload(pagename, request)
@@ -464,33 +467,33 @@
msg = _("No file content. Delete non ASCII characters from the file name and try again.")
else:
msg = _('You are not allowed to attach a file to this page.')
- elif request.form['do'][0] == 'del':
+ elif do == 'del':
if request.user.may.delete(pagename):
del_file(pagename, request)
else:
msg = _('You are not allowed to delete attachments on this page.')
- elif request.form['do'][0] == 'get':
+ elif do == 'get':
if request.user.may.read(pagename):
get_file(pagename, request)
else:
msg = _('You are not allowed to get attachments from this page.')
- elif request.form['do'][0] == 'unzip':
+ elif do == 'unzip':
if request.user.may.delete(pagename) and request.user.may.read(pagename) and request.user.may.write(pagename):
unzip_file(pagename, request)
else:
msg = _('You are not allowed to unzip attachments of this page.')
- elif request.form['do'][0] == 'install':
+ elif do == 'install':
if request.user.isSuperUser():
install_package(pagename, request)
else:
msg = _('You are not allowed to install files.')
- elif request.form['do'][0] == 'view':
+ elif do == 'view':
if request.user.may.read(pagename):
view_file(pagename, request)
else:
msg = _('You are not allowed to view attachments of this page.')
else:
- msg = _('Unsupported upload action: %s') % (request.form['do'][0],)
+ msg = _('Unsupported upload action: %s') % (wikiutil.escape(do),)
if msg:
error_msg(pagename, request, msg)
# HG changeset patch
# User Alexander Schremmer <alex AT alexanderweb DOT de>
# Date Sun Feb 25 11:01:57 2007 +0100
# Node ID 4949ad88af4e2fce70f2170bf6d09f337b7b83bb
# parent: efdb7eef6c61ba7c2ea97992269ff51a0b96e3bf
Actually check the ACL for the include directive. Fixes a severe security issue.
(ajdusted for use with 1.5.3)
--- a/MoinMoin/parser/rst.py Fri Feb 23 19:24:52 2007 +0100
+++ b/MoinMoin/parser/rst.py Sun Feb 25 11:01:57 2007 +0100
@@ -553,15 +553,19 @@ class MoinDirectives:
return
if len(content):
- page = Page(page_name = content[0], request = self.request)
- if page.exists():
- text = page.get_raw_body()
- lines = text.split('\n')
- # Remove the "#format rst" line
- if lines[0].startswith("#format"):
- del lines[0]
+ pagename = content[0]
+ page = Page(page_name=pagename, request=self.request)
+ if not self.request.user.may.read(pagename):
+ lines = [_("**You are not allowed to read the page: %s**") % (pagename, )]
else:
- lines = [_("**Could not find the referenced page: %s**") % (content[0],)]
+ if page.exists():
+ text = page.get_raw_body()
+ lines = text.split('\n')
+ # Remove the "#format rst" line
+ if lines[0].startswith("#format"):
+ del lines[0]
+ else:
+ lines = [_("**Could not find the referenced page: %s**") % (pagename, )]
# Insert the text from the included document and then continue
# parsing
state_machine.insert_input(lines, 'MoinDirectives')
# HG changeset patch
# User Thomas Waldmann <tw AT waldmann-edv DOT de>
# Date Mon Apr 02 23:05:14 2007 +0200
# Node ID 0e41a0429ee13f5bba8bca418bc5898df91c91f7
# parent: 5e758e78e32797bb9625bb210572881ac3841f23
MonthCalendar: ACL security fix
(ajdusted for use with 1.5.3)
--- a/MoinMoin/macro/MonthCalendar.py Sun Mar 18 23:14:08 2007 +0100
+++ b/MoinMoin/macro/MonthCalendar.py Mon Apr 02 23:05:14 2007 +0200
@@ -389,7 +389,7 @@ def execute(macro, text):
else:
link = "%s/%4d-%02d-%02d" % (page, year, month, day)
daypage = Page(request, link)
- if daypage.exists():
+ if daypage.exists() and request.user.may.read(link):
csslink = "cal-usedday"
query = {}
r, g, b, u = (255, 0, 0, 1)
