MoinMoin: Group ACL bypass
Gentoo Linux Security Advisory
||GLSA 200407-09 / MoinMoin
||July 11, 2004
||May 22, 2006: 02
All supported architectures
MoinMoin contains a bug allowing a user to bypass group ACLs (Access
MoinMoin is a Python clone of WikiWiki, based on PikiPiki.
MoinMoin contains a bug in the code handling administrative group ACLs.
A user created with the same name as an administrative group gains the
privileges of the administrative group.
If an administrative group called AdminGroup existed an attacker could
create a user called AdminGroup and gain the privileges of the group
AdminGroup. This could lead to unauthorized users gaining
For every administrative group with special privileges create a user
with the same name as the group.
All users should upgrade to the latest available version of MoinMoin,
Code Listing 3.1: Resolution
# emerge sync
# emerge -pv ">=www-apps/moinmoin-1.2.2"
# emerge ">=www-apps/moinmoin-1.2.2"