Bug 601399 (CVE-2010-2487) - CVE-2010-2487 moin: Multiple XSS issues
Summary: CVE-2010-2487 moin: Multiple XSS issues
Alias: CVE-2010-2487
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: public=20100603,reported=20100606,sou...
Keywords: Security
Depends On: 601400
TreeView+ depends on / blocked
Reported: 2010-06-07 21:00 UTC by Vincent Danen
Modified: 2019-06-08 13:01 UTC (History)
3 users (show)

Clone Of:
Last Closed: 2011-03-10 10:23:08 UTC

Attachments (Terms of Use)

Description Vincent Danen 2010-06-07 21:00:49 UTC
A possible reflected cross-site scripting attack was discovered in Moin [1].  An attacker able to cause a user to follow a specially crafted malicious link may be able to recover session identifiers or exploit browser vulnerabilities, due to a vulnerable template parameter.  The upstream bug report links to patches to correct the flaw.

[1] http://moinmo.in/MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg

Comment 1 Vincent Danen 2010-06-07 21:01:40 UTC
Created moin tracking bugs for this issue

Affects: fedora-all [bug 601400]

Comment 2 Fedora Update System 2010-06-13 21:45:47 UTC
moin-1.8.8-1.fc12 has been submitted as an update for Fedora 12.

Comment 3 Fedora Update System 2010-06-13 21:49:49 UTC
moin-1.8.8-1.fc11 has been submitted as an update for Fedora 11.

Comment 4 Fedora Update System 2010-06-14 17:17:54 UTC
moin-1.8.8-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2010-06-14 17:22:03 UTC
moin-1.8.8-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2010-06-28 19:05:32 UTC
moin-1.9.3-1.fc13 has been submitted as an update for Fedora 13.

Comment 7 Fedora Update System 2010-06-29 15:37:52 UTC
moin-1.9.3-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Jan Lieskovsky 2010-08-27 10:10:25 UTC
CVE-2010-2487 description:

Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.7.3 and
earlier, 1.8.x before 1.8.8, and 1.9.x before 1.9.3 allow remote attackers
to inject arbitrary web script or HTML via crafted content, related to (1)
Page.py, (2) PageEditor.py, (3) PageGraphicalEditor.py, (4) action/CopyPage.py,
(5) action/Load.py, (6) action/RenamePage.py, (7) action/backup.py, (8)
action/login.py, (9) action/newaccount.py, and (10) action/recoverpass.py. 

Current Fedora Moin versions:
1, moin-1.9.3-1.fc13 for Fedora 13
2, moin-1.8.8-1.fc12 for Fedora 12
3, moin-1.8.8-1.fc11 for Fedora 11

contains all upstream fixes mentioned in:
  [1] http://moinmo.in/SecurityFixes
affecting Moin v1.9.2 and Moin v.1.8.7 versions respectively, i.e.:

moin 1.9.2

    * XSS by unescaped content emitted by theme.add_msg (CVE-2010-2487).
      Affected: likely all up to 1.9.2
      o fix XSS in template parameter
      o fix another potential XSS issue
      o fix more potential XSS issues
        The portion of the above that patches MoinMoin/action/RenamePage.py
        has two problems
          + It doesn't apply directly to the 1.9.2 base because of other
            # Use this diff made against 1.9.2 for applying to 1.9.2
              installation: http://paste.pocoo.org/show/221927/
              -- EugeneSyromyatnikov 2010-06-04 15:27:17 
          + It contains an extraneous merge artifact ">>>>>>> other".
            # This issue (excuse me for my fault) fixed in
              -- EugeneSyromyatnikov 2010-06-04 15:27:17 

        There is another problem with the above patch. The patch to
        MoinMoin/action/login.py does not import wikiutil and at least
        the 1.9.2 base does not have that import.
        -- MarkSapiro 2010-06-06 02:36:20
          + f8871116c6b3 -- EugeneSyromyatnikov 2010-06-06 05:38:08 

    * fix XSS in Despam action (CVE-2010-0828) - thanks to Jamie Strandboge
      (Ubuntu) for fixing
        o To avoid the issue, please be careful when using Despam action
          (it is only available for superuser) - please check the page names
          of the pages to despam first. If they look strange (like containing
          javascript or html), then don't use Despam to clean them up. If you
          don't need Despam, you could of course also use actions_excluded to
          completely disable it. 

Fixes security issues of moin 1.9.1:

    * 1.9.2 fixes CVE-2010-0669.
    * 1.9.2 fixes CVE-2010-0668
      (and also CVE-2010-0717 which is just another sub-issue of the same

Moin v1.8.8-1 version in Fedora 12 and Fedora 11 contains subset of by
upstream selected issues / patches, which were applicable to Moin v1.8
version too.

Note You need to log in before you can comment on or make changes to this bug.