Florian Weimer skrev:
Package: python-moinmoin
Version: 1.5.7-2
Tags: security
Severity: grave
Proof of concept:
http://moinmoin.wikiwikiweb.de/WikiSandBox?action=AttachFiledo=%3Cblink%3ETest%3C/blink%3E
This is CVE-2007-2423. Please mention this name in the changelog when
you fix this bug.
Thanks for the report.
A fixed package has been uploaded to unstable with urgency=high.
For the security team:
Unfortunately I do not have access to an etch machine (with development
tools installed and not contaminated by non-Debian stuff).
Attached is the upstream fix adjusted to moin-1.5.3 in stable (patch
00829..). Simply adding the patch to debian/patches and rebuilding
should work.
I have not tested if the patch works, but upstream has, and the
adjustments were minor so I doubt bugs could have crept in. I also have
not checked if the bug is also in the much older version in oldstable.
Attached is also a couple of other security-related patches (00821.. and
00825..) that I am uncertain if is relevant to include as well.
Kind regards,
- Jonas
--
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
- Enden er nær: http://www.shibumi.org/eoti.htm
# HG changeset patch
# User Thomas Waldmann tw AT waldmann-edv DOT de
# Date 1178406230 -7200
# Node ID 288694f8dfde086358ca18f107cfb48cced03558
# Parent fe2e3e78c269f5f0024491fb9b6041970f4e7a1a
XSS fix for AttachFile 'do' parameter
(ajdusted for use with 1.5.3)
--- moin-1.5.3.orig/MoinMoin/action/AttachFile.py 2006-04-05 20:58:07.0 +0200
+++ moin-1.5.3/MoinMoin/action/AttachFile.py 2007-05-06 17:25:34.0 +0200
@@ -443,6 +443,9 @@
_ = request.getText
msg = None
+do = request.form.get('do')
+if do is not None:
+do = do[0]
if action_name in request.cfg.actions_excluded:
msg = _('File attachments are not allowed in this wiki!')
elif request.form.has_key('filepath'):
@@ -452,9 +455,9 @@
request.write(OK)
else:
msg = _('You are not allowed to save a drawing on this page.')
-elif not request.form.has_key('do'):
+elif do is None:
upload_form(pagename, request)
-elif request.form['do'][0] == 'upload':
+elif do == 'upload':
if request.user.may.write(pagename):
if request.form.has_key('file'):
do_upload(pagename, request)
@@ -464,33 +467,33 @@
msg = _(No file content. Delete non ASCII characters from the file name and try again.)
else:
msg = _('You are not allowed to attach a file to this page.')
-elif request.form['do'][0] == 'del':
+elif do == 'del':
if request.user.may.delete(pagename):
del_file(pagename, request)
else:
msg = _('You are not allowed to delete attachments on this page.')
-elif request.form['do'][0] == 'get':
+elif do == 'get':
if request.user.may.read(pagename):
get_file(pagename, request)
else:
msg = _('You are not allowed to get attachments from this page.')
-elif request.form['do'][0] == 'unzip':
+elif do == 'unzip':
if request.user.may.delete(pagename) and request.user.may.read(pagename) and request.user.may.write(pagename):
unzip_file(pagename, request)
else:
msg = _('You are not allowed to unzip attachments of this page.')
-elif request.form['do'][0] == 'install':
+elif do == 'install':
if request.user.isSuperUser():
install_package(pagename, request)
else:
msg = _('You are not allowed to install files.')
-elif request.form['do'][0] == 'view':
+elif do == 'view':
if request.user.may.read(pagename):
view_file(pagename, request)
else:
msg = _('You are not allowed to view attachments of this page.')
else:
-msg = _('Unsupported upload action: %s') % (request.form['do'][0],)
+msg = _('Unsupported upload action: %s') % (wikiutil.escape(do),)
if msg:
error_msg(pagename, request, msg)
# HG changeset patch
# User Alexander Schremmer alex AT alexanderweb DOT de
# Date Sun Feb 25 11:01:57 2007 +0100
# Node ID 4949ad88af4e2fce70f2170bf6d09f337b7b83bb
# parent: efdb7eef6c61ba7c2ea97992269ff51a0b96e3bf
Actually check the ACL for the include directive. Fixes a severe security issue.
(ajdusted for use with 1.5.3)
--- a/MoinMoin/parser/rst.py Fri Feb 23 19:24:52 2007 +0100
+++ b/MoinMoin/parser/rst.py Sun Feb 25 11:01:57 2007 +0100
@@ -553,15 +553,19 @@ class MoinDirectives:
return
if len(content):
-page = Page(page_name = content[0], request = self.request)
-if page.exists():
-text = page.get_raw_body()
-lines = text.split('\n')
-# Remove the #format rst line
-if