Florian Weimer skrev: > Package: python-moinmoin > Version: 1.5.7-2 > Tags: security > Severity: grave > > Proof of concept: > > http://moinmoin.wikiwikiweb.de/WikiSandBox?action=AttachFile&do=%3Cblink%3ETest%3C/blink%3E > > This is CVE-2007-2423. Please mention this name in the changelog when > you fix this bug.
Thanks for the report. A fixed package has been uploaded to unstable with urgency=high. For the security team: Unfortunately I do not have access to an etch machine (with development tools installed and not contaminated by non-Debian stuff). Attached is the upstream fix adjusted to moin-1.5.3 in stable (patch 00829..). Simply adding the patch to debian/patches and rebuilding should work. I have not tested if the patch works, but upstream has, and the adjustments were minor so I doubt bugs could have crept in. I also have not checked if the bug is also in the much older version in oldstable. Attached is also a couple of other security-related patches (00821.. and 00825..) that I am uncertain if is relevant to include as well. Kind regards, - Jonas -- * Jonas Smedegaard - idealist og Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ - Enden er nær: http://www.shibumi.org/eoti.htm
# HG changeset patch # User Thomas Waldmann <tw AT waldmann-edv DOT de> # Date 1178406230 -7200 # Node ID 288694f8dfde086358ca18f107cfb48cced03558 # Parent fe2e3e78c269f5f0024491fb9b6041970f4e7a1a XSS fix for AttachFile 'do' parameter (ajdusted for use with 1.5.3) --- moin-1.5.3.orig/MoinMoin/action/AttachFile.py 2006-04-05 20:58:07.000000000 +0200 +++ moin-1.5.3/MoinMoin/action/AttachFile.py 2007-05-06 17:25:34.000000000 +0200 @@ -443,6 +443,9 @@ _ = request.getText msg = None + do = request.form.get('do') + if do is not None: + do = do[0] if action_name in request.cfg.actions_excluded: msg = _('File attachments are not allowed in this wiki!') elif request.form.has_key('filepath'): @@ -452,9 +455,9 @@ request.write("OK") else: msg = _('You are not allowed to save a drawing on this page.') - elif not request.form.has_key('do'): + elif do is None: upload_form(pagename, request) - elif request.form['do'][0] == 'upload': + elif do == 'upload': if request.user.may.write(pagename): if request.form.has_key('file'): do_upload(pagename, request) @@ -464,33 +467,33 @@ msg = _("No file content. Delete non ASCII characters from the file name and try again.") else: msg = _('You are not allowed to attach a file to this page.') - elif request.form['do'][0] == 'del': + elif do == 'del': if request.user.may.delete(pagename): del_file(pagename, request) else: msg = _('You are not allowed to delete attachments on this page.') - elif request.form['do'][0] == 'get': + elif do == 'get': if request.user.may.read(pagename): get_file(pagename, request) else: msg = _('You are not allowed to get attachments from this page.') - elif request.form['do'][0] == 'unzip': + elif do == 'unzip': if request.user.may.delete(pagename) and request.user.may.read(pagename) and request.user.may.write(pagename): unzip_file(pagename, request) else: msg = _('You are not allowed to unzip attachments of this page.') - elif request.form['do'][0] == 'install': + elif do == 'install': if request.user.isSuperUser(): install_package(pagename, request) else: msg = _('You are not allowed to install files.') - elif request.form['do'][0] == 'view': + elif do == 'view': if request.user.may.read(pagename): view_file(pagename, request) else: msg = _('You are not allowed to view attachments of this page.') else: - msg = _('Unsupported upload action: %s') % (request.form['do'][0],) + msg = _('Unsupported upload action: %s') % (wikiutil.escape(do),) if msg: error_msg(pagename, request, msg)
# HG changeset patch # User Alexander Schremmer <alex AT alexanderweb DOT de> # Date Sun Feb 25 11:01:57 2007 +0100 # Node ID 4949ad88af4e2fce70f2170bf6d09f337b7b83bb # parent: efdb7eef6c61ba7c2ea97992269ff51a0b96e3bf Actually check the ACL for the include directive. Fixes a severe security issue. (ajdusted for use with 1.5.3) --- a/MoinMoin/parser/rst.py Fri Feb 23 19:24:52 2007 +0100 +++ b/MoinMoin/parser/rst.py Sun Feb 25 11:01:57 2007 +0100 @@ -553,15 +553,19 @@ class MoinDirectives: return if len(content): - page = Page(page_name = content[0], request = self.request) - if page.exists(): - text = page.get_raw_body() - lines = text.split('\n') - # Remove the "#format rst" line - if lines[0].startswith("#format"): - del lines[0] + pagename = content[0] + page = Page(page_name=pagename, request=self.request) + if not self.request.user.may.read(pagename): + lines = [_("**You are not allowed to read the page: %s**") % (pagename, )] else: - lines = [_("**Could not find the referenced page: %s**") % (content[0],)] + if page.exists(): + text = page.get_raw_body() + lines = text.split('\n') + # Remove the "#format rst" line + if lines[0].startswith("#format"): + del lines[0] + else: + lines = [_("**Could not find the referenced page: %s**") % (pagename, )] # Insert the text from the included document and then continue # parsing state_machine.insert_input(lines, 'MoinDirectives')
# HG changeset patch # User Thomas Waldmann <tw AT waldmann-edv DOT de> # Date Mon Apr 02 23:05:14 2007 +0200 # Node ID 0e41a0429ee13f5bba8bca418bc5898df91c91f7 # parent: 5e758e78e32797bb9625bb210572881ac3841f23 MonthCalendar: ACL security fix (ajdusted for use with 1.5.3) --- a/MoinMoin/macro/MonthCalendar.py Sun Mar 18 23:14:08 2007 +0100 +++ b/MoinMoin/macro/MonthCalendar.py Mon Apr 02 23:05:14 2007 +0200 @@ -389,7 +389,7 @@ def execute(macro, text): else: link = "%s/%4d-%02d-%02d" % (page, year, month, day) daypage = Page(request, link) - if daypage.exists(): + if daypage.exists() and request.user.may.read(link): csslink = "cal-usedday" query = {} r, g, b, u = (255, 0, 0, 1)