1. Gentoo Linux Security Advisory
| Advisory Reference | GLSA 200407-09 / MoinMoin |
| Release Date | July 11, 2004 |
| Latest Revision | May 22, 2006: 02 |
| Impact | normal |
| Exploitable | remote |
| Package | Vulnerable versions | Unaffected versions | Architecture(s) |
| www-apps/moinmoin | <= 1.2.1 | >= 1.2.2 | All supported architectures |
Related bugreports: #53126
MoinMoin contains a bug allowing a user to bypass group ACLs (Access Control Lists).
MoinMoin is a Python clone of WikiWiki, based on PikiPiki.
MoinMoin contains a bug in the code handling administrative group ACLs. A user created with the same name as an administrative group gains the privileges of the administrative group.
If an administrative group called AdminGroup existed an attacker could create a user called AdminGroup and gain the privileges of the group AdminGroup. This could lead to unauthorized users gaining administrative access.
For every administrative group with special privileges create a user with the same name as the group.
All users should upgrade to the latest available version of MoinMoin, as follows:
Code Listing 3.1: Resolution |
# emerge sync # emerge -pv ">=www-apps/moinmoin-1.2.2" # emerge ">=www-apps/moinmoin-1.2.2" |