Bug#526594: CVE-2009-1482: cross-site scripting (XSS) issue [moin 1.5 / oldstable not affected]
On Tue, 5 May 2009 09:28:08 pm Jonas Smedegaard wrote: On Tue, May 05, 2009 at 09:54:36AM +0200, Frank Lin PIAT wrote: P.S. can you upload moin 1.7, I can't since I am not DD/DM. I'll do it now! - Jonas Also, please upload fixed packages for unstable with urgency high. :) Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#526594: CVE-2009-1482: cross-site scripting (XSS) issue [moin 1.5 / oldstable not affected]
On Wed, 2009-05-06 at 21:22 +1000, Steffen Joeris wrote: On Tue, 5 May 2009 09:28:08 pm Jonas Smedegaard wrote: On Tue, May 05, 2009 at 09:54:36AM +0200, Frank Lin PIAT wrote: P.S. can you upload moin 1.7, I can't since I am not DD/DM. I'll do it now! - Jonas Also, please upload fixed packages for unstable with urgency high. :) Jonas, Here's a patch for unstable (against 1.8.2-2). Could you review and upload it please? Franklin diff -u -r -N moin-1.8.2-2/debian/changelog moin-1.8.2-2+unstable1/debian/changelog --- moin-1.8.2-2/debian/changelog 2009-05-07 00:07:45.0 +0200 +++ moin-1.8.2-2+unstable1/debian/changelog 2009-05-07 00:06:26.0 +0200 @@ -1,3 +1,14 @@ +moin (1.8.2-2+unstable1) unstable; urgency=high + + [ Frank Lin PIAT ] + * Fix cross-site scripting vulnerability in action/AttachFile.py +(Closes: #526594), Thanks to Steffen Joeris. +Fixes: CVE-2009-1482 + * Add mode escaping to AttachFile move (maybe not XSS exploitable +though) + + -- Jonas Smedegaard d...@jones.dk Thu, 07 May 2009 00:02:29 +0200 + moin (1.8.2-2) unstable; urgency=low [ Jonas Smedegaard ] diff -u -r -N moin-1.8.2-2/debian/patches/3_CVE-2009-1482.patch moin-1.8.2-2+unstable1/debian/patches/3_CVE-2009-1482.patch --- moin-1.8.2-2/debian/patches/3_CVE-2009-1482.patch 1970-01-01 01:00:00.0 +0100 +++ moin-1.8.2-2+unstable1/debian/patches/3_CVE-2009-1482.patch 2009-05-06 23:57:04.0 +0200 @@ -0,0 +1,55 @@ +--- a/MoinMoin/action/AttachFile.py 2009-05-06 23:53:46.0 +0200 b/MoinMoin/action/AttachFile.py 2009-05-06 23:56:21.0 +0200 +@@ -387,6 +387,7 @@ + + + def error_msg(pagename, request, msg): ++msg = wikiutil.escape(msg) + request.theme.add_msg(msg, error) + Page(request, pagename).send_page() + +@@ -512,7 +513,7 @@ + if handler: + msg = handler(pagename, request) + else: +-msg = _('Unsupported AttachFile sub-action: %s') % (wikiutil.escape(do[0]), ) ++msg = _('Unsupported AttachFile sub-action: %s') % do[0] + if msg: + error_msg(pagename, request, msg) + +@@ -522,6 +523,8 @@ + + + def upload_form(pagename, request, msg=''): ++if msg: ++msg = wikiutil.escape(msg) + _ = request.getText + + request.emit_http_headers() +@@ -838,13 +841,13 @@ + + if package.isPackage(): + if package.installPackage(): +-msg = _(Attachment '%(filename)s' installed.) % {'filename': wikiutil.escape(target)} ++msg = _(Attachment '%(filename)s' installed.) % {'filename': target} + else: +-msg = _(Installation of '%(filename)s' failed.) % {'filename': wikiutil.escape(target)} ++msg = _(Installation of '%(filename)s' failed.) % {'filename': target} + if package.msg: +-msg += brpre%s/pre % wikiutil.escape(package.msg) ++msg += + package.msg + else: +-msg = _('The file %s is not a MoinMoin package file.') % wikiutil.escape(target) ++msg = _('The file %s is not a MoinMoin package file.') % target + + upload_form(pagename, request, msg=msg) + +@@ -948,7 +951,7 @@ + logging.exception(An exception within zip file attachment handling occurred:) + msg = _(A severe error occurred:) + ' ' + str(err) + +-upload_form(pagename, request, msg=wikiutil.escape(msg)) ++upload_form(pagename, request, msg=msg) + + + def send_viewfile(pagename, request): diff -u -r -N moin-1.8.2-2/debian/patches/4_CVE-2009-1482-extra.patch moin-1.8.2-2+unstable1/debian/patches/4_CVE-2009-1482-extra.patch --- moin-1.8.2-2/debian/patches/4_CVE-2009-1482-extra.patch 1970-01-01 01:00:00.0 +0100 +++ moin-1.8.2-2+unstable1/debian/patches/4_CVE-2009-1482-extra.patch 2009-05-06 23:58:27.0 +0200 @@ -0,0 +1,14 @@ +--- a/MoinMoin/action/AttachFile.py 2009-05-06 23:57:38.0 +0200 b/MoinMoin/action/AttachFile.py 2009-05-06 23:57:43.0 +0200 +@@ -749,9 +749,9 @@ + 'baseurl': request.getScriptname(), + 'do': 'attachment_move', + 'ticket': wikiutil.createTicket(request), +- 'pagename': pagename, ++ 'pagename': wikiutil.escape(pagename, 1), + 'pagename_quoted': wikiutil.quoteWikinameURL(pagename), +- 'attachment_name': filename, ++ 'attachment_name': wikiutil.escape(filename, 1), + 'move': _('Move'), + 'cancel': _('Cancel'), + 'newname_label': _(New page name), diff -u -r -N moin-1.8.2-2/debian/patches/series moin-1.8.2-2+unstable1/debian/patches/series --- moin-1.8.2-2/debian/patches/series 2009-05-07 00:07:45.0 +0200 +++ moin-1.8.2-2+unstable1/debian/patches/series 2009-05-06 23:59:06.0 +0200 @@ -1,3 +1,5 @@ #10001_disable_RenderAsDocbook_if_no_xml.patch 20002_hardcode_configdir.patch 20003_disable_gui_editor_if_fckeditor_missing.patch +3_CVE-2009-1482.patch +4_CVE-2009-1482-extra.patch
Bug#526594: CVE-2009-1482: cross-site scripting (XSS) issue [moin 1.5 / oldstable not affected]
On Sat, 2009-05-02 at 12:40 +1000, Steffen Joeris wrote: the following CVE (Common Vulnerabilities Exposures) id was published for moin. CVE-2009-1482[0]: | Multiple cross-site scripting (XSS) vulnerabilities in | action/AttachFile.py in MoinMoin 1.8.2 and earlier allow remote | attackers to inject arbitrary web script or HTML via (1) an AttachFile | sub-action in the error_msg function or (2) multiple vectors related | to package file errors in the upload_form function, different vectors | than CVE-2009-0260. regardin oldstable (moin 1.5.3-1.2etch2) Most of the patch http://hg.moinmo.in/moin/1.8/rev/5f51246a4df1 was already applied by the patch 019_CVE-2007-0781_attach_file_XSS.patch. The remaining of the patch (escaping error_msg) can't be exploited because the calling functions either escape strings, or send intrinsically clean strings, like fixed strings or attachments names that are escaped during upload) The patch http://hg.moinmo.in/moin/1.8/rev/269a1fbc3ed7 isn't needed, because it fix a bug in a feature that was introduced in later release of moinmoin (1.6 or 1.7) So our moin 1.5.3-1.2etch2 isn't affected by this CVE. Thanks, Franklin P.S. can you upload moin 1.7, I can't since I am not DD/DM. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#526594: CVE-2009-1482: cross-site scripting (XSS) issue [moin 1.5 / oldstable not affected]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, May 05, 2009 at 09:54:36AM +0200, Frank Lin PIAT wrote: P.S. can you upload moin 1.7, I can't since I am not DD/DM. I'll do it now! - Jonas - -- * Jonas Smedegaard - idealist og Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkoAIscACgkQn7DbMsAkQLhU7QCfegqH4acBQ4DF3hdZ+ZcIpL5p U6UAoKfDnvDb+OVViluf4ouFPo21NLzt =pA6D -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#526594: CVE-2009-1482: cross-site scripting (XSS) issue
Hi, On Sat, 2009-05-02 at 12:40 +1000, Steffen Joeris wrote: CVE-2009-1482[0]: | Multiple cross-site scripting (XSS) vulnerabilities in | action/AttachFile.py in MoinMoin 1.8.2 and earlier allow remote | attackers to inject arbitrary web script or HTML via (1) an AttachFile | sub-action in the error_msg function or (2) multiple vectors related | to package file errors in the upload_form function, different vectors | than CVE-2009-0260. Please have a look at upstream's announcement[1]. Upstream's patch is here[2]. While I agree that it is a good idea to move the escaping to a more centralised place, I don't see yet, where it would be exploitable. There is escaping in several places, so before we worry too much about this, I'd like to see a successful XSS exploit. I could exploit this vulnerability by injecting arbitrary html, onmouseover... It might also be worth to include this patch[3] as well, although I don't think it is exploitable. As I explained in my private mail, this can be exploited too. So I have included it, as suggested. I have made a patch, (against the lenny branch in git), that merely contains upstream's patches (I prefer to stick to upstream's patch, so later patch are more likely to apply). Regards Franklin diff --git a/debian/changelog b/debian/changelog index 38c2799..bda4166 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +moin (1.7.1-3+lenny2) testing-security; urgency=high + + [ Frank Lin PIAT ] + * Fix cross-site scripting vulnerability in action/AttachFile.py +(Closes: #526594), Thanks to Steffen Joeris. +Fixes: CVE-2009-1482 + * Add mode escaping to AttachFile move (maybe not XSS exploitable +though) + + -- Jonas Smedegaard d...@jones.dk Sat, 02 May 2009 13:35:08 +0200 + moin (1.7.1-3+lenny1) testing-security; urgency=high * Non-maintainer upload by the security team diff --git a/debian/patches/3_CVE-2009-1482.patch b/debian/patches/3_CVE-2009-1482.patch new file mode 100644 index 000..979b24f --- /dev/null +++ b/debian/patches/3_CVE-2009-1482.patch @@ -0,0 +1,56 @@ +--- a/MoinMoin/action/AttachFile.py Mon Apr 13 14:09:57 2009 +0200 b/MoinMoin/action/AttachFile.py Sat Apr 18 18:58:25 2009 +0200 +@@ -387,6 +387,7 @@ + + + def error_msg(pagename, request, msg): ++msg = wikiutil.escape(msg) + request.theme.add_msg(msg, error) + Page(request, pagename).send_page() + +@@ -512,7 +513,7 @@ + if handler: + msg = handler(pagename, request) + else: +-msg = _('Unsupported AttachFile sub-action: %s') % (wikiutil.escape(do[0]), ) ++msg = _('Unsupported AttachFile sub-action: %s') % do[0] + if msg: + error_msg(pagename, request, msg) + +@@ -522,6 +523,8 @@ + + + def upload_form(pagename, request, msg=''): ++if msg: ++msg = wikiutil.escape(msg) + _ = request.getText + + request.emit_http_headers() +@@ -838,13 +841,13 @@ + + if package.isPackage(): + if package.installPackage(): +-msg = _(Attachment '%(filename)s' installed.) % {'filename': wikiutil.escape(target)} ++msg = _(Attachment '%(filename)s' installed.) % {'filename': target} + else: +-msg = _(Installation of '%(filename)s' failed.) % {'filename': wikiutil.escape(target)} ++msg = _(Installation of '%(filename)s' failed.) % {'filename': target} + if package.msg: +-msg += brpre%s/pre % wikiutil.escape(package.msg) ++msg += + package.msg + else: +-msg = _('The file %s is not a MoinMoin package file.') % wikiutil.escape(target) ++msg = _('The file %s is not a MoinMoin package file.') % target + + upload_form(pagename, request, msg=msg) + +@@ -948,7 +951,7 @@ + logging.exception(An exception within zip file attachment handling occurred:) + msg = _(A severe error occurred:) + ' ' + str(err) + +-upload_form(pagename, request, msg=wikiutil.escape(msg)) ++upload_form(pagename, request, msg=msg) + + + def send_viewfile(pagename, request): + diff --git a/debian/patches/4_CVE-2009-1482-extra.patch b/debian/patches/4_CVE-2009-1482-extra.patch new file mode 100644 index 000..4f9850d --- /dev/null +++ b/debian/patches/4_CVE-2009-1482-extra.patch @@ -0,0 +1,14 @@ +--- a/MoinMoin/action/AttachFile.py Sat Apr 18 18:58:25 2009 +0200 b/MoinMoin/action/AttachFile.py Sat Apr 18 19:09:16 2009 +0200 +@@ -749,9 +749,9 @@ + 'baseurl': request.getScriptname(), + 'do': 'attachment_move', + 'ticket': wikiutil.createTicket(request), +- 'pagename': pagename, ++ 'pagename': wikiutil.escape(pagename, 1), + 'pagename_quoted': wikiutil.quoteWikinameURL(pagename), +- 'attachment_name': filename, ++ 'attachment_name': wikiutil.escape(filename, 1), + 'move': _('Move'), + 'cancel': _('Cancel'), + 'newname_label': _(New page name), diff
Bug#526594: CVE-2009-1482: cross-site scripting (XSS) issue
Package: moin Severity: important Tags: patch, security Hi, the following CVE (Common Vulnerabilities Exposures) id was published for moin. CVE-2009-1482[0]: | Multiple cross-site scripting (XSS) vulnerabilities in | action/AttachFile.py in MoinMoin 1.8.2 and earlier allow remote | attackers to inject arbitrary web script or HTML via (1) an AttachFile | sub-action in the error_msg function or (2) multiple vectors related | to package file errors in the upload_form function, different vectors | than CVE-2009-0260. Please have a look at upstream's announcement[1]. Upstream's patch is here[2]. While I agree that it is a good idea to move the escaping to a more centralised place, I don't see yet, where it would be exploitable. There is escaping in several places, so before we worry too much about this, I'd like to see a successful XSS exploit. Could you as the maintainer please also have a look? It might also be worth to include this patch[3] as well, although I don't think it is exploitable. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1482 http://security-tracker.debian.net/tracker/CVE-2009-1482 [1] http://moinmo.in/SecurityFixes [2] http://hg.moinmo.in/moin/1.8/rev/5f51246a4df1 [3] http://hg.moinmo.in/moin/1.8/rev/269a1fbc3ed7 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org