Bug#526594: CVE-2009-1482: cross-site scripting (XSS) issue [moin 1.5 / oldstable not affected]
On Tue, 5 May 2009 09:28:08 pm Jonas Smedegaard wrote: On Tue, May 05, 2009 at 09:54:36AM +0200, Frank Lin PIAT wrote: P.S. can you upload moin 1.7, I can't since I am not DD/DM. I'll do it now! - Jonas Also, please upload fixed packages for unstable with urgency high. :) Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#526594: CVE-2009-1482: cross-site scripting (XSS) issue [moin 1.5 / oldstable not affected]
On Wed, 2009-05-06 at 21:22 +1000, Steffen Joeris wrote:
On Tue, 5 May 2009 09:28:08 pm Jonas Smedegaard wrote:
On Tue, May 05, 2009 at 09:54:36AM +0200, Frank Lin PIAT wrote:
P.S. can you upload moin 1.7, I can't since I am not DD/DM.
I'll do it now!
- Jonas
Also, please upload fixed packages for unstable with urgency high. :)
Jonas,
Here's a patch for unstable (against 1.8.2-2).
Could you review and upload it please?
Franklin
diff -u -r -N moin-1.8.2-2/debian/changelog moin-1.8.2-2+unstable1/debian/changelog
--- moin-1.8.2-2/debian/changelog 2009-05-07 00:07:45.0 +0200
+++ moin-1.8.2-2+unstable1/debian/changelog 2009-05-07 00:06:26.0 +0200
@@ -1,3 +1,14 @@
+moin (1.8.2-2+unstable1) unstable; urgency=high
+
+ [ Frank Lin PIAT ]
+ * Fix cross-site scripting vulnerability in action/AttachFile.py
+(Closes: #526594), Thanks to Steffen Joeris.
+Fixes: CVE-2009-1482
+ * Add mode escaping to AttachFile move (maybe not XSS exploitable
+though)
+
+ -- Jonas Smedegaard d...@jones.dk Thu, 07 May 2009 00:02:29 +0200
+
moin (1.8.2-2) unstable; urgency=low
[ Jonas Smedegaard ]
diff -u -r -N moin-1.8.2-2/debian/patches/3_CVE-2009-1482.patch moin-1.8.2-2+unstable1/debian/patches/3_CVE-2009-1482.patch
--- moin-1.8.2-2/debian/patches/3_CVE-2009-1482.patch 1970-01-01 01:00:00.0 +0100
+++ moin-1.8.2-2+unstable1/debian/patches/3_CVE-2009-1482.patch 2009-05-06 23:57:04.0 +0200
@@ -0,0 +1,55 @@
+--- a/MoinMoin/action/AttachFile.py 2009-05-06 23:53:46.0 +0200
b/MoinMoin/action/AttachFile.py 2009-05-06 23:56:21.0 +0200
+@@ -387,6 +387,7 @@
+
+
+ def error_msg(pagename, request, msg):
++msg = wikiutil.escape(msg)
+ request.theme.add_msg(msg, error)
+ Page(request, pagename).send_page()
+
+@@ -512,7 +513,7 @@
+ if handler:
+ msg = handler(pagename, request)
+ else:
+-msg = _('Unsupported AttachFile sub-action: %s') % (wikiutil.escape(do[0]), )
++msg = _('Unsupported AttachFile sub-action: %s') % do[0]
+ if msg:
+ error_msg(pagename, request, msg)
+
+@@ -522,6 +523,8 @@
+
+
+ def upload_form(pagename, request, msg=''):
++if msg:
++msg = wikiutil.escape(msg)
+ _ = request.getText
+
+ request.emit_http_headers()
+@@ -838,13 +841,13 @@
+
+ if package.isPackage():
+ if package.installPackage():
+-msg = _(Attachment '%(filename)s' installed.) % {'filename': wikiutil.escape(target)}
++msg = _(Attachment '%(filename)s' installed.) % {'filename': target}
+ else:
+-msg = _(Installation of '%(filename)s' failed.) % {'filename': wikiutil.escape(target)}
++msg = _(Installation of '%(filename)s' failed.) % {'filename': target}
+ if package.msg:
+-msg += brpre%s/pre % wikiutil.escape(package.msg)
++msg += + package.msg
+ else:
+-msg = _('The file %s is not a MoinMoin package file.') % wikiutil.escape(target)
++msg = _('The file %s is not a MoinMoin package file.') % target
+
+ upload_form(pagename, request, msg=msg)
+
+@@ -948,7 +951,7 @@
+ logging.exception(An exception within zip file attachment handling occurred:)
+ msg = _(A severe error occurred:) + ' ' + str(err)
+
+-upload_form(pagename, request, msg=wikiutil.escape(msg))
++upload_form(pagename, request, msg=msg)
+
+
+ def send_viewfile(pagename, request):
diff -u -r -N moin-1.8.2-2/debian/patches/4_CVE-2009-1482-extra.patch moin-1.8.2-2+unstable1/debian/patches/4_CVE-2009-1482-extra.patch
--- moin-1.8.2-2/debian/patches/4_CVE-2009-1482-extra.patch 1970-01-01 01:00:00.0 +0100
+++ moin-1.8.2-2+unstable1/debian/patches/4_CVE-2009-1482-extra.patch 2009-05-06 23:58:27.0 +0200
@@ -0,0 +1,14 @@
+--- a/MoinMoin/action/AttachFile.py 2009-05-06 23:57:38.0 +0200
b/MoinMoin/action/AttachFile.py 2009-05-06 23:57:43.0 +0200
+@@ -749,9 +749,9 @@
+ 'baseurl': request.getScriptname(),
+ 'do': 'attachment_move',
+ 'ticket': wikiutil.createTicket(request),
+- 'pagename': pagename,
++ 'pagename': wikiutil.escape(pagename, 1),
+ 'pagename_quoted': wikiutil.quoteWikinameURL(pagename),
+- 'attachment_name': filename,
++ 'attachment_name': wikiutil.escape(filename, 1),
+ 'move': _('Move'),
+ 'cancel': _('Cancel'),
+ 'newname_label': _(New page name),
diff -u -r -N moin-1.8.2-2/debian/patches/series moin-1.8.2-2+unstable1/debian/patches/series
--- moin-1.8.2-2/debian/patches/series 2009-05-07 00:07:45.0 +0200
+++ moin-1.8.2-2+unstable1/debian/patches/series 2009-05-06 23:59:06.0 +0200
@@ -1,3 +1,5 @@
#10001_disable_RenderAsDocbook_if_no_xml.patch
20002_hardcode_configdir.patch
20003_disable_gui_editor_if_fckeditor_missing.patch
+3_CVE-2009-1482.patch
+4_CVE-2009-1482-extra.patch
Bug#526594: CVE-2009-1482: cross-site scripting (XSS) issue [moin 1.5 / oldstable not affected]
On Sat, 2009-05-02 at 12:40 +1000, Steffen Joeris wrote: the following CVE (Common Vulnerabilities Exposures) id was published for moin. CVE-2009-1482[0]: | Multiple cross-site scripting (XSS) vulnerabilities in | action/AttachFile.py in MoinMoin 1.8.2 and earlier allow remote | attackers to inject arbitrary web script or HTML via (1) an AttachFile | sub-action in the error_msg function or (2) multiple vectors related | to package file errors in the upload_form function, different vectors | than CVE-2009-0260. regardin oldstable (moin 1.5.3-1.2etch2) Most of the patch http://hg.moinmo.in/moin/1.8/rev/5f51246a4df1 was already applied by the patch 019_CVE-2007-0781_attach_file_XSS.patch. The remaining of the patch (escaping error_msg) can't be exploited because the calling functions either escape strings, or send intrinsically clean strings, like fixed strings or attachments names that are escaped during upload) The patch http://hg.moinmo.in/moin/1.8/rev/269a1fbc3ed7 isn't needed, because it fix a bug in a feature that was introduced in later release of moinmoin (1.6 or 1.7) So our moin 1.5.3-1.2etch2 isn't affected by this CVE. Thanks, Franklin P.S. can you upload moin 1.7, I can't since I am not DD/DM. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#526594: CVE-2009-1482: cross-site scripting (XSS) issue [moin 1.5 / oldstable not affected]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, May 05, 2009 at 09:54:36AM +0200, Frank Lin PIAT wrote: P.S. can you upload moin 1.7, I can't since I am not DD/DM. I'll do it now! - Jonas - -- * Jonas Smedegaard - idealist og Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkoAIscACgkQn7DbMsAkQLhU7QCfegqH4acBQ4DF3hdZ+ZcIpL5p U6UAoKfDnvDb+OVViluf4ouFPo21NLzt =pA6D -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#526594: CVE-2009-1482: cross-site scripting (XSS) issue
Hi,
On Sat, 2009-05-02 at 12:40 +1000, Steffen Joeris wrote:
CVE-2009-1482[0]:
| Multiple cross-site scripting (XSS) vulnerabilities in
| action/AttachFile.py in MoinMoin 1.8.2 and earlier allow remote
| attackers to inject arbitrary web script or HTML via (1) an AttachFile
| sub-action in the error_msg function or (2) multiple vectors related
| to package file errors in the upload_form function, different vectors
| than CVE-2009-0260.
Please have a look at upstream's announcement[1]. Upstream's patch is
here[2]. While I agree that it is a good idea to move the escaping to
a more centralised place, I don't see yet, where it would be
exploitable. There is escaping in several places, so before we worry
too much about this, I'd like to see a successful XSS exploit.
I could exploit this vulnerability by injecting arbitrary html, onmouseover...
It might also be worth to include this patch[3] as well, although I
don't think it is exploitable.
As I explained in my private mail, this can be exploited too. So I have
included it, as suggested.
I have made a patch, (against the lenny branch in git), that merely
contains upstream's patches (I prefer to stick to upstream's patch, so
later patch are more likely to apply).
Regards
Franklin
diff --git a/debian/changelog b/debian/changelog
index 38c2799..bda4166 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+moin (1.7.1-3+lenny2) testing-security; urgency=high
+
+ [ Frank Lin PIAT ]
+ * Fix cross-site scripting vulnerability in action/AttachFile.py
+(Closes: #526594), Thanks to Steffen Joeris.
+Fixes: CVE-2009-1482
+ * Add mode escaping to AttachFile move (maybe not XSS exploitable
+though)
+
+ -- Jonas Smedegaard d...@jones.dk Sat, 02 May 2009 13:35:08 +0200
+
moin (1.7.1-3+lenny1) testing-security; urgency=high
* Non-maintainer upload by the security team
diff --git a/debian/patches/3_CVE-2009-1482.patch b/debian/patches/3_CVE-2009-1482.patch
new file mode 100644
index 000..979b24f
--- /dev/null
+++ b/debian/patches/3_CVE-2009-1482.patch
@@ -0,0 +1,56 @@
+--- a/MoinMoin/action/AttachFile.py Mon Apr 13 14:09:57 2009 +0200
b/MoinMoin/action/AttachFile.py Sat Apr 18 18:58:25 2009 +0200
+@@ -387,6 +387,7 @@
+
+
+ def error_msg(pagename, request, msg):
++msg = wikiutil.escape(msg)
+ request.theme.add_msg(msg, error)
+ Page(request, pagename).send_page()
+
+@@ -512,7 +513,7 @@
+ if handler:
+ msg = handler(pagename, request)
+ else:
+-msg = _('Unsupported AttachFile sub-action: %s') % (wikiutil.escape(do[0]), )
++msg = _('Unsupported AttachFile sub-action: %s') % do[0]
+ if msg:
+ error_msg(pagename, request, msg)
+
+@@ -522,6 +523,8 @@
+
+
+ def upload_form(pagename, request, msg=''):
++if msg:
++msg = wikiutil.escape(msg)
+ _ = request.getText
+
+ request.emit_http_headers()
+@@ -838,13 +841,13 @@
+
+ if package.isPackage():
+ if package.installPackage():
+-msg = _(Attachment '%(filename)s' installed.) % {'filename': wikiutil.escape(target)}
++msg = _(Attachment '%(filename)s' installed.) % {'filename': target}
+ else:
+-msg = _(Installation of '%(filename)s' failed.) % {'filename': wikiutil.escape(target)}
++msg = _(Installation of '%(filename)s' failed.) % {'filename': target}
+ if package.msg:
+-msg += brpre%s/pre % wikiutil.escape(package.msg)
++msg += + package.msg
+ else:
+-msg = _('The file %s is not a MoinMoin package file.') % wikiutil.escape(target)
++msg = _('The file %s is not a MoinMoin package file.') % target
+
+ upload_form(pagename, request, msg=msg)
+
+@@ -948,7 +951,7 @@
+ logging.exception(An exception within zip file attachment handling occurred:)
+ msg = _(A severe error occurred:) + ' ' + str(err)
+
+-upload_form(pagename, request, msg=wikiutil.escape(msg))
++upload_form(pagename, request, msg=msg)
+
+
+ def send_viewfile(pagename, request):
+
diff --git a/debian/patches/4_CVE-2009-1482-extra.patch b/debian/patches/4_CVE-2009-1482-extra.patch
new file mode 100644
index 000..4f9850d
--- /dev/null
+++ b/debian/patches/4_CVE-2009-1482-extra.patch
@@ -0,0 +1,14 @@
+--- a/MoinMoin/action/AttachFile.py Sat Apr 18 18:58:25 2009 +0200
b/MoinMoin/action/AttachFile.py Sat Apr 18 19:09:16 2009 +0200
+@@ -749,9 +749,9 @@
+ 'baseurl': request.getScriptname(),
+ 'do': 'attachment_move',
+ 'ticket': wikiutil.createTicket(request),
+- 'pagename': pagename,
++ 'pagename': wikiutil.escape(pagename, 1),
+ 'pagename_quoted': wikiutil.quoteWikinameURL(pagename),
+- 'attachment_name': filename,
++ 'attachment_name': wikiutil.escape(filename, 1),
+ 'move': _('Move'),
+ 'cancel': _('Cancel'),
+ 'newname_label': _(New page name),
diff
Bug#526594: CVE-2009-1482: cross-site scripting (XSS) issue
Package: moin Severity: important Tags: patch, security Hi, the following CVE (Common Vulnerabilities Exposures) id was published for moin. CVE-2009-1482[0]: | Multiple cross-site scripting (XSS) vulnerabilities in | action/AttachFile.py in MoinMoin 1.8.2 and earlier allow remote | attackers to inject arbitrary web script or HTML via (1) an AttachFile | sub-action in the error_msg function or (2) multiple vectors related | to package file errors in the upload_form function, different vectors | than CVE-2009-0260. Please have a look at upstream's announcement[1]. Upstream's patch is here[2]. While I agree that it is a good idea to move the escaping to a more centralised place, I don't see yet, where it would be exploitable. There is escaping in several places, so before we worry too much about this, I'd like to see a successful XSS exploit. Could you as the maintainer please also have a look? It might also be worth to include this patch[3] as well, although I don't think it is exploitable. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1482 http://security-tracker.debian.net/tracker/CVE-2009-1482 [1] http://moinmo.in/SecurityFixes [2] http://hg.moinmo.in/moin/1.8/rev/5f51246a4df1 [3] http://hg.moinmo.in/moin/1.8/rev/269a1fbc3ed7 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
