Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 273858 (CVE-2009-4762) - <www-apps/moinmoin-1.8.4: ACL bypass (CVE-2009-4762)
Summary: <www-apps/moinmoin-1.8.4: ACL bypass (CVE-2009-4762)
Status: RESOLVED FIXED
Alias: CVE-2009-4762
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/35407/
Whiteboard: C3? [noglsa]
Keywords:
Depends on: 268565
Blocks:
  Show dependency tree
 
Reported: 2009-06-12 12:12 UTC by Alex Legler (RETIRED)
Modified: 2010-04-11 14:02 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-12 12:12:43 UTC 
A security issue has been reported in MoinMoin, which can be exploited by malicious users to bypass certain security restrictions.

The security issue is caused due to an error when processing hierarchical ACLs, which can be exploited to access restricted sub-pages.

Successful exploitation requires that the username does not match any of the of the sub-page's ACLs and that hierarchical ACL processing is enabled (not the default).
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-06 04:05:04 UTC 
CVE-2009-4762 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4762):
  MoinMoin 1.7.x before 1.7.3 and 1.8.x before 1.8.3 checks parent ACLs
  in certain inappropriate circumstances during processing of
  hierarchical ACLs, which allows remote attackers to bypass intended
  access restrictions by requesting an item, a different vulnerability
  than CVE-2008-6603.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-11 14:02:46 UTC 
CVE-2009-4762 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4762):
  MoinMoin 1.7.x before 1.7.3 and 1.8.x before 1.8.3 checks parent ACLs
  in certain inappropriate circumstances during processing of
  hierarchical ACLs, which allows remote attackers to bypass intended
  access restrictions by requesting an item, a different vulnerability
  than CVE-2008-6603.