[Python-Dev] FYI - wiki.python.org compromised
Paul Boddie
paul at boddie.org.uk
Thu Jan 10 23:32:33 CET 2013
Robert Whitney wrote:
> To Whoever this may concern,
>
> I believe the exploit in use on the Python Wiki could have been the
> following remote arbitrary code execution exploit that myself and some
> fellow researchers have been working with over the past few days. I'm
> not sure if this has quite been reported to the Moin development team,
> however this exploit would be triggered via a URL much like the following:
> http://wiki.python.org/WikiSandBox?action=moinexec&c=uname%20-a
Did you check the MoinMoin security fixes page?
http://moinmo.in/SecurityFixes
What you describe is mentioned as "remote code execution vulnerability in
twikidraw/anywikidraw action CVE-2012-6081".
> This URL of course would cause for the page to output the contents of
> the command "uname -a". I think this is definitely worth your
> researchers looking into, and please be sure to credit myself (Robert
> 'xnite' Whitney; http://xnite.org) for finding & reporting this
> vulnerability.
Have you discovered anything beyond the findings of the referenced, reported
vulnerability, or any of those mentioned in the Debian advisory?
http://www.debian.org/security/2012/dsa-2593
If so, I'm sure that the MoinMoin developers would be interested in working
with you to responsibly mitigate the impact of any deployed, vulnerable code.
Paul
P.S. Although I don't speak for the MoinMoin developers in any way, please be
advised that any replies to me may be shared with those developers and indeed
any other parties I choose.
More information about the Python-Dev
mailing list