Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 209133 (CVE-2008-0780) - www-apps/moinmoin < 1.6.1 XSS issues (CVE-2008-{0780,0781,0782,1098,1099}))
Summary: www-apps/moinmoin < 1.6.1 XSS issues (CVE-2008-{0780,0781,0782,1098,1099}))
Status: RESOLVED FIXED
Alias: CVE-2008-0780
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/29010/
Whiteboard: C1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-02-06 13:24 UTC by Hanno Böck
Modified: 2008-03-18 22:41 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2008-02-06 13:24:58 UTC
Changelog for 1.6.1 lists this:
- XSS fixes
From http://moinmo.in/MoinMoinRelease1.6

They're not more specific and there seems to be no cve yet, anyway it's a security issue.
Comment 1 Bernd Marienfeldt 2008-02-06 13:41:23 UTC
http://hg.moinmo.in/moin/1.6/raw-file/1.6.1/docs/CHANGES shows
" * Fix XSS issue in login action."
Comment 2 Jakub Moc (RETIRED) gentoo-dev 2008-02-06 14:01:25 UTC
1.6.1 in webapps overlay (using distutils as it should in the first place now) in case someone needs it urgently. :)

http://overlays.gentoo.org/svn/proj/webapps/migration/www-apps/moinmoin/
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-02-06 22:34:43 UTC
web-apps, please bump 1.6.1 into the tree.
Comment 4 Gunnar Wrobel (RETIRED) gentoo-dev 2008-02-15 14:25:43 UTC
moinmoin-1.6.1 is in the tree.

Targets:

 amd64 ppc sparc x86

@jakub:

  Thanks for the ebuild. Nice work!
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-02-15 15:11:31 UTC
(In reply to comment #4)
> moinmoin-1.6.1 is in the tree.
> 
> Targets:
> 
>  amd64 ppc sparc x86
> 
> @jakub:
> 
>   Thanks for the ebuild. Nice work!
> 

Comment 6 Markus Meier gentoo-dev 2008-02-16 09:22:07 UTC
x86 stable
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2008-02-19 17:19:11 UTC
ppc stable
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2008-02-24 15:15:44 UTC
sparc stable
Comment 9 Steve Dibb (RETIRED) gentoo-dev 2008-02-25 15:12:09 UTC
amd64 stable
Comment 10 Peter Volkov (RETIRED) gentoo-dev 2008-02-25 16:23:31 UTC
Fixed in release snapshot.
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2008-02-25 20:07:58 UTC
This one is ready for GLSA vote. I vote NO.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-02-25 22:14:40 UTC
I would raise the severity level on this bug, for CVE-2008-0782:
  Directory traversal vulnerability in MoinMoin 1.5.8 and earlier allows
  remote attackers to overwrite arbitrary files via ".." sequences in the
  MOIN_ID user ID in a cookie for a userform action. NOTE: this issue can
  be leveraged for PHP code execution via the quicklinks parameter.

Anyway, YES.
Comment 13 Gunnar Wrobel (RETIRED) gentoo-dev 2008-02-26 07:14:54 UTC
Removed vulnerable version. webapps done.
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-02-26 08:58:20 UTC
voting NO too, and closing.
Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-02-26 09:02:35 UTC
Actually I missed rbu's comment. reverting my vote to YES, and request filed.
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2008-02-26 10:07:21 UTC
Raising severity to C1 ie remote code execution with non standard config. Is that correct?
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2008-02-26 14:20:16 UTC
(In reply to comment #16)
> Raising severity to C1 ie remote code execution with non standard config. Is
> that correct?

ACK
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2008-03-08 17:14:06 UTC
We should research this first, but I asusme this is fixes in the most recent update, too. Hanno, can you help here?

CVE-2008-1098 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1098):
  Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.5.8 and
  earlier allow remote attackers to inject arbitrary web script or HTML via (1)
  certain input processed by formatter/text_gedit.py (aka the gui editor
  formatter); (2) a page name, which triggers an injection in PageEditor.py
  when the page is successfully deleted by a victim in a DeletePage action; or
  (3) the destination page name for a RenamePage action, which triggers an
  injection in PageEditor.py when a victim's rename attempt fails because of a
  duplicate name.  NOTE: the AttachFile XSS issue is already covered by
  CVE-2008-0781, and the login XSS issue is already covered by CVE-2008-0780.

CVE-2008-1099 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1099):
  _macro_Getval in wikimacro.py in MoinMoin 1.5.8 and earlier does not properly
  enforce ACLs, which allows remote attackers to read protected pages.
Comment 19 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-18 22:41:29 UTC
GLSA 200803-27