Changelog for 1.6.1 lists this: - XSS fixes From http://moinmo.in/MoinMoinRelease1.6 They're not more specific and there seems to be no cve yet, anyway it's a security issue.
http://hg.moinmo.in/moin/1.6/raw-file/1.6.1/docs/CHANGES shows " * Fix XSS issue in login action."
1.6.1 in webapps overlay (using distutils as it should in the first place now) in case someone needs it urgently. :) http://overlays.gentoo.org/svn/proj/webapps/migration/www-apps/moinmoin/
web-apps, please bump 1.6.1 into the tree.
moinmoin-1.6.1 is in the tree. Targets: amd64 ppc sparc x86 @jakub: Thanks for the ebuild. Nice work!
(In reply to comment #4) > moinmoin-1.6.1 is in the tree. > > Targets: > > amd64 ppc sparc x86 > > @jakub: > > Thanks for the ebuild. Nice work! >
x86 stable
ppc stable
sparc stable
amd64 stable
Fixed in release snapshot.
This one is ready for GLSA vote. I vote NO.
I would raise the severity level on this bug, for CVE-2008-0782: Directory traversal vulnerability in MoinMoin 1.5.8 and earlier allows remote attackers to overwrite arbitrary files via ".." sequences in the MOIN_ID user ID in a cookie for a userform action. NOTE: this issue can be leveraged for PHP code execution via the quicklinks parameter. Anyway, YES.
Removed vulnerable version. webapps done.
voting NO too, and closing.
Actually I missed rbu's comment. reverting my vote to YES, and request filed.
Raising severity to C1 ie remote code execution with non standard config. Is that correct?
(In reply to comment #16) > Raising severity to C1 ie remote code execution with non standard config. Is > that correct? ACK
We should research this first, but I asusme this is fixes in the most recent update, too. Hanno, can you help here? CVE-2008-1098 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1098): Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.5.8 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) certain input processed by formatter/text_gedit.py (aka the gui editor formatter); (2) a page name, which triggers an injection in PageEditor.py when the page is successfully deleted by a victim in a DeletePage action; or (3) the destination page name for a RenamePage action, which triggers an injection in PageEditor.py when a victim's rename attempt fails because of a duplicate name. NOTE: the AttachFile XSS issue is already covered by CVE-2008-0781, and the login XSS issue is already covered by CVE-2008-0780. CVE-2008-1099 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1099): _macro_Getval in wikimacro.py in MoinMoin 1.5.8 and earlier does not properly enforce ACLs, which allows remote attackers to read protected pages.
GLSA 200803-27