A possible reflected cross-site scripting attack was discovered in Moin [1]. An attacker able to cause a user to follow a specially crafted malicious link may be able to recover session identifiers or exploit browser vulnerabilities, due to a vulnerable template parameter. The upstream bug report links to patches to correct the flaw. [1] http://moinmo.in/MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg
Created moin tracking bugs for this issue Affects: fedora-all [bug 601400]
moin-1.8.8-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/moin-1.8.8-1.fc12
moin-1.8.8-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/moin-1.8.8-1.fc11
moin-1.8.8-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
moin-1.8.8-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
moin-1.9.3-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/moin-1.9.3-1.fc13
moin-1.9.3-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
CVE-2010-2487 description: Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.7.3 and earlier, 1.8.x before 1.8.8, and 1.9.x before 1.9.3 allow remote attackers to inject arbitrary web script or HTML via crafted content, related to (1) Page.py, (2) PageEditor.py, (3) PageGraphicalEditor.py, (4) action/CopyPage.py, (5) action/Load.py, (6) action/RenamePage.py, (7) action/backup.py, (8) action/login.py, (9) action/newaccount.py, and (10) action/recoverpass.py. Current Fedora Moin versions: 1, moin-1.9.3-1.fc13 for Fedora 13 2, moin-1.8.8-1.fc12 for Fedora 12 3, moin-1.8.8-1.fc11 for Fedora 11 contains all upstream fixes mentioned in: [1] http://moinmo.in/SecurityFixes affecting Moin v1.9.2 and Moin v.1.8.7 versions respectively, i.e.: moin 1.9.2 * XSS by unescaped content emitted by theme.add_msg (CVE-2010-2487). Affected: likely all up to 1.9.2 o fix XSS in template parameter o fix another potential XSS issue o fix more potential XSS issues The portion of the above that patches MoinMoin/action/RenamePage.py has two problems + It doesn't apply directly to the 1.9.2 base because of other changes. # Use this diff made against 1.9.2 for applying to 1.9.2 installation: http://paste.pocoo.org/show/221927/ -- EugeneSyromyatnikov 2010-06-04 15:27:17 + It contains an extraneous merge artifact ">>>>>>> other". # This issue (excuse me for my fault) fixed in http://hg.moinmo.in/moin/1.9/rev/60fde500cbc2 -- EugeneSyromyatnikov 2010-06-04 15:27:17 There is another problem with the above patch. The patch to MoinMoin/action/login.py does not import wikiutil and at least the 1.9.2 base does not have that import. -- MarkSapiro 2010-06-06 02:36:20 + f8871116c6b3 -- EugeneSyromyatnikov 2010-06-06 05:38:08 * fix XSS in Despam action (CVE-2010-0828) - thanks to Jamie Strandboge (Ubuntu) for fixing o To avoid the issue, please be careful when using Despam action (it is only available for superuser) - please check the page names of the pages to despam first. If they look strange (like containing javascript or html), then don't use Despam to clean them up. If you don't need Despam, you could of course also use actions_excluded to completely disable it. Fixes security issues of moin 1.9.1: * 1.9.2 fixes CVE-2010-0669. * 1.9.2 fixes CVE-2010-0668 (and also CVE-2010-0717 which is just another sub-issue of the same issue) Moin v1.8.8-1 version in Fedora 12 and Fedora 11 contains subset of by upstream selected issues / patches, which were applicable to Moin v1.8 version too.