MoinMoin: Multiple vulnerabilities
Security Team
Contact Address
Updated March 18, 20081.
Gentoo Linux Security Advisory
Version Information
| Advisory Reference |
GLSA 200803-27 / moinmoin |
| Release Date |
March 18, 2008 |
| Latest Revision |
March 18, 2008: 01 |
| Impact |
normal |
| Exploitable |
remote |
| Package |
Vulnerable versions |
Unaffected versions |
Architecture(s) |
| www-apps/moinmoin |
<
1.6.1 |
>=
1.6.1 |
All supported architectures
|
Related bugreports:
#209133
Synopsis
Several vulnerabilities have been reported in MoinMoin Wiki Engine.
2.
Impact Information
Background
MoinMoin is an advanced, easy to use and extensible Wiki Engine.
Description
Multiple vulnerabilities have been discovered:
-
A vulnerability exists in the file wikimacro.py because the
_macro_Getval function does not properly enforce ACLs
(CVE-2008-1099).
-
A directory traversal vulnerability exists in the userform action
(CVE-2008-0782).
-
A Cross-Site Scripting vulnerability exists in the login action
(CVE-2008-0780).
-
Multiple Cross-Site Scripting vulnerabilities exist in the file
action/AttachFile.py when using the message, pagename, and target
filenames (CVE-2008-0781).
-
Multiple Cross-Site Scripting vulnerabilities exist in
formatter/text_gedit.py (aka the gui editor formatter) which can be
exploited via a page name or destination page name, which trigger an
injection in the file PageEditor.py (CVE-2008-1098).
Impact
These vulnerabilities can be exploited to allow remote attackers to
inject arbitrary web script or HTML, overwrite arbitrary files, or read
protected pages.
3.
Resolution Information
Workaround
There is no known workaround at this time.
Resolution
All MoinMoin users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/moinmoin-1.6.1"
|
4.
References