[Moin-user] Vulnerabilities affecting MoinMoin 1.5.7 Release? (CVE-2007-901, 902)
Thomas Waldmann
tw-public at gmx.de
Sat Mar 17 09:23:03 EDT 2007
> It's come to my attention that a few relatively recent security reports
> allege vulnerabilities including cross-site scripting in MoinMoin up to
> and including release 1.5.7
The pagename (AttachFile, RenamePage, LocalSiteMap) and page info XSS
bugs were fixed in 1.5.7 and this is documented in docs/CHANGES.
The other report advising show_traceback (this seems to be a 3rd party
patch, not a moin feature) as solution for another potential
vulnerability is rather vague about what the exact problem is and what
the exploit could be.
Whether showing version numbers of some involved software (OS, Python,
Moin) is a security bug by itself is discussable. One thing is sure: if
we disable tracebacks and version information, the reported bugs by our
users would be of much lower quality and debugging would be harder and
take longer.
See also:
http://moinmoin.wikiwikiweb.de/MoinMoinBugs/DisableExceptionDebugging
In general, I must say that I am a bit disappointed with the quality of
such security reports and some security news (like that on heise
recently). They are partly incorrect, rather vague and sometimes seem to
over-hype things a bit (like heise first telling that you could execute
code on the SERVER - they fixed it some hours later) and heavy
crosslinking of such things doesn't help either.
Of course XSS is a problem, but, for the recent moin cases, it is not
something to panic about.
If someone creates a page named Bla<insert javascript exploit code
here>Bla, you will notice that on RecentChanges. Similar thing if
someone tries to trick you to go to some URL of that kind, you will
notice it (hopefully) before you click.
If you can be tricked into such stuff, I guess you will be "fished"
daily anyway (and those guys don't just steal your moin cookie, but $$$$
from your bank/paypal/whatever account).
More information about the Moin-user
mailing list