[Moin-user] Vulnerabilities affecting MoinMoin 1.5.7 Release? (CVE-2007-901, 902)

[Thomas Waldmann]

> It's come to my attention that a few relatively recent security reports
>  allege vulnerabilities including cross-site scripting in MoinMoin up to
> and including release 1.5.7

The pagename (AttachFile, RenamePage, LocalSiteMap) and page info XSS 
bugs were fixed in 1.5.7 and this is documented in docs/CHANGES.

The other report advising show_traceback (this seems to be a 3rd party 
patch, not a moin feature) as solution for another potential 
vulnerability is rather vague about what the exact problem is and what 
the exploit could be.

Whether showing version numbers of some involved software (OS, Python, 
Moin) is a security bug by itself is discussable. One thing is sure: if 
we disable tracebacks and version information, the reported bugs by our 
users would be of much lower quality and debugging would be harder and 
take longer.

See also:
http://moinmoin.wikiwikiweb.de/MoinMoinBugs/DisableExceptionDebugging

In general, I must say that I am a bit disappointed with the quality of 
such security reports and some security news (like that on heise 
recently). They are partly incorrect, rather vague and sometimes seem to 
over-hype things a bit (like heise first telling that you could execute 
code on the SERVER - they fixed it some hours later) and heavy 
crosslinking of such things doesn't help either.

Of course XSS is a problem, but, for the recent moin cases, it is not 
something to panic about.

If someone creates a page named Bla<insert javascript exploit code 
here>Bla, you will notice that on RecentChanges. Similar thing if 
someone tries to trick you to go to some URL of that kind, you will 
notice it (hopefully) before you click.

If you can be tricked into such stuff, I guess you will be "fished" 
daily anyway (and those guys don't just steal your moin cookie, but $$$$ 
from your bank/paypal/whatever account).