Robert Whitney wrote: > To Whoever this may concern, > > I believe the exploit in use on the Python Wiki could have been the > following remote arbitrary code execution exploit that myself and some > fellow researchers have been working with over the past few days. I'm > not sure if this has quite been reported to the Moin development team, > however this exploit would be triggered via a URL much like the following: > http://wiki.python.org/WikiSandBox?action=moinexec&c=uname%20-a
Did you check the MoinMoin security fixes page? http://moinmo.in/SecurityFixes What you describe is mentioned as "remote code execution vulnerability in twikidraw/anywikidraw action CVE-2012-6081". > This URL of course would cause for the page to output the contents of > the command "uname -a". I think this is definitely worth your > researchers looking into, and please be sure to credit myself (Robert > 'xnite' Whitney; http://xnite.org) for finding & reporting this > vulnerability. Have you discovered anything beyond the findings of the referenced, reported vulnerability, or any of those mentioned in the Debian advisory? http://www.debian.org/security/2012/dsa-2593 If so, I'm sure that the MoinMoin developers would be interested in working with you to responsibly mitigate the impact of any deployed, vulnerable code. Paul P.S. Although I don't speak for the MoinMoin developers in any way, please be advised that any replies to me may be shared with those developers and indeed any other parties I choose. _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
