That email didn't explain a lot. Here's the actual diff, as far as I can tell: http://hg.thinkmo.de/moin/1.5?cs=130316e4d462.
The issue is that they let people use the less-than and greater-than characters in pagenames, so whenever they print a pagename to the screen they have to escape it. Otherwise, someone can create a page called <script type="text/javascript">do bad things</script>. You can't use less than or greater than characters in Sycamore, as they're turned off. So, this shouldn't be an issue. In general, XSS stuff can be hard to avoid and tricky. I don't know of any exploitable XSS attacks in Sycamore. --Philip On 2/10/07, Graham Freeman <[EMAIL PROTECTED]> wrote: > Folks, > > This raises an interesting point that I hadn't thought about before. > How secure is Sycamore? Given that it's derived from MoinMoin, is it > generally vulnerable to the same attacks as the one outlined below? > What kind of code review does it undergo, especially with regard to > security? > > thanks, > > Graham > (a non-programmer) > > Begin forwarded message: > > > From: Kees Cook <[EMAIL PROTECTED]> > > Date: 09 February, 2007 19:24:55 PST > > To: [EMAIL PROTECTED] > > Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com > > Subject: [USN-421-1] MoinMoin vulnerability > > Reply-To: [EMAIL PROTECTED] > > > > =========================================================== > > Ubuntu Security Notice USN-421-1 February 10, 2007 > > moin, moin1.3 vulnerability > > CVE-2007-0857 > > =========================================================== > > > > A security issue affects the following Ubuntu releases: > > > > Ubuntu 5.10 > > Ubuntu 6.06 LTS > > Ubuntu 6.10 > > > > This advisory also applies to the corresponding versions of > > Kubuntu, Edubuntu, and Xubuntu. > > > > The problem can be corrected by upgrading your system to the > > following package versions: > > > > Ubuntu 5.10: > > moin 1.2.4-1ubuntu2.1 > > python2.3-moinmoin 1.3.4-6ubuntu1.1 > > python2.4-moinmoin 1.3.4-6ubuntu1.1 > > > > Ubuntu 6.06 LTS: > > python2.4-moinmoin 1.5.2-1ubuntu2.1 > > > > Ubuntu 6.10: > > python2.4-moinmoin 1.5.3-1ubuntu1.1 > > > > In general, a standard system upgrade is sufficient to effect the > > necessary changes. > > > > Details follow: > > > > A flaw was discovered in MoinMoin's page name sanitizer which could > > lead > > to a cross-site scripting attack. By tricking a user into viewing a > > crafted MoinMoin page, an attacker could execute arbitrary > > JavaScript as > > the current MoinMoin user, possibly exposing the user's authentication > > information for the domain where MoinMoin was hosted. > > > > > > Updated packages for Ubuntu 5.10: > > > > Source archives: > > > > http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/ > > moin1.3_1.3.4-6ubuntu1.1.diff.gz > > Size/MD5: 44173 692c6d70ddfcd4bee6c52b5a058e12a5 > > http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/ > > moin1.3_1.3.4-6ubuntu1.1.dsc > > Size/MD5: 787 5d884216cdba772e9e4aa899754b043f > > http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/ > > moin1.3_1.3.4.orig.tar.gz > > Size/MD5: 3085225 aff667e7c60c5af2525cd1381f417608 > > http://security.ubuntu.com/ubuntu/pool/main/m/moin/ > > moin_1.2.4-1ubuntu2.1.diff.gz > > Size/MD5: 38141 d36e9f5e4a49fbd5cbf3660e26a2bb08 > > http://security.ubuntu.com/ubuntu/pool/main/m/moin/ > > moin_1.2.4-1ubuntu2.1.dsc > > Size/MD5: 646 a12da82f5b5bc78c4fa81d0a41d3505d > > http://security.ubuntu.com/ubuntu/pool/main/m/moin/ > > moin_1.2.4.orig.tar.gz > > Size/MD5: 1142734 4fea82b27079d1db50a38cf06317cfaa > > > > Architecture independent packages: > > > > http://security.ubuntu.com/ubuntu/pool/main/m/moin/ > > moin_1.2.4-1ubuntu2.1_all.deb > > Size/MD5: 875380 c51d8534d114a5ac8168d74078d057ac > > http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/moinmoin- > > common_1.3.4-6ubuntu1.1_all.deb > > Size/MD5: 726336 7d06a0597d2cf730071a3ab8f89fa1b1 > > http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/python- > > moinmoin_1.3.4-6ubuntu1.1_all.deb > > Size/MD5: 50100 8989297583d220982a5d357024b67512 > > http://security.ubuntu.com/ubuntu/pool/universe/m/moin1.3/ > > python2.3-moinmoin_1.3.4-6ubuntu1.1_all.deb > > Size/MD5: 584174 320ab3f0940162c0d9effc5c6c20eeb6 > > http://security.ubuntu.com/ubuntu/pool/main/m/moin1.3/python2.4- > > moinmoin_1.3.4-6ubuntu1.1_all.deb > > Size/MD5: 584184 8d64c3204991c3f0f1ef23fbb76b3ccc > > > > Updated packages for Ubuntu 6.06 LTS: > > > > Source archives: > > > > http://security.ubuntu.com/ubuntu/pool/main/m/moin/ > > moin_1.5.2-1ubuntu2.1.diff.gz > > Size/MD5: 36962 a118fa520ea2ffbb43138ddbed7fdf79 > > http://security.ubuntu.com/ubuntu/pool/main/m/moin/ > > moin_1.5.2-1ubuntu2.1.dsc > > Size/MD5: 702 220ca3322333fff147b16635b632b6a6 > > http://security.ubuntu.com/ubuntu/pool/main/m/moin/ > > moin_1.5.2.orig.tar.gz > > Size/MD5: 3975925 689ed7aa9619aa207398b996d68b4b87 > > > > Architecture independent packages: > > > > http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin- > > common_1.5.2-1ubuntu2.1_all.deb > > Size/MD5: 1507708 cc18106ba9a34162b5895474ffcd78a3 > > http://security.ubuntu.com/ubuntu/pool/main/m/moin/python- > > moinmoin_1.5.2-1ubuntu2.1_all.deb > > Size/MD5: 69348 87fba532f3c2a2dbc4d5e24efe0adedf > > http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4- > > moinmoin_1.5.2-1ubuntu2.1_all.deb > > Size/MD5: 834402 731d1b0936fe0002372e38fd196f2904 > > > > Updated packages for Ubuntu 6.10: > > > > Source archives: > > > > http://security.ubuntu.com/ubuntu/pool/main/m/moin/ > > moin_1.5.3-1ubuntu1.1.diff.gz > > Size/MD5: 37699 aa17a2ab9e6228584e6215bde1f65dcb > > http://security.ubuntu.com/ubuntu/pool/main/m/moin/ > > moin_1.5.3-1ubuntu1.1.dsc > > Size/MD5: 726 cc673d0b1366fe30e7be24efb5655b08 > > http://security.ubuntu.com/ubuntu/pool/main/m/moin/ > > moin_1.5.3.orig.tar.gz > > Size/MD5: 4187091 e95ec46ee8de9527a39793108de22f7d > > > > Architecture independent packages: > > > > http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin- > > common_1.5.3-1ubuntu1.1_all.deb > > Size/MD5: 1574710 405eb7dd6d415d75897b38c27c137cc6 > > http://security.ubuntu.com/ubuntu/pool/main/m/moin/python- > > moinmoin_1.5.3-1ubuntu1.1_all.deb > > Size/MD5: 73438 2257461978d5728ff0028cfef6964735 > > http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4- > > moinmoin_1.5.3-1ubuntu1.1_all.deb > > Size/MD5: 908768 b3a8d8fe09d6a0d33bde2a3e42c9d389 > > > > -- > > ubuntu-security-announce mailing list > > [EMAIL PROTECTED] > > Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/ > > listinfo/ubuntu-security-announce > > > _______________________________________________ > Sycamore-Dev mailing list > [EMAIL PROTECTED] > http://www.projectsycamore.org/ > https://tools.cernio.com/mailman/listinfo/sycamore-dev > _______________________________________________ Sycamore-Dev mailing list [EMAIL PROTECTED] http://www.projectsycamore.org/ https://tools.cernio.com/mailman/listinfo/sycamore-dev
