Package: moin
Version: 1.5.3-1.1
Severity: important
Tags: patch, security
"Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin before
1.5.7 allow remote attackers to inject arbitrary web script or HTML via
(1) the page info, or the page name in a (2) AttachFile, (3) RenamePage,
or (4) LocalSiteMap action."
The upstream changes are visible here:
http://hg.thinkmo.de/moin/1.5?fl=28eb59256911;file=docs/CHANGES
However, LikePages was missed, and the upstream LocalSiteMap fix appears
to be incomplete. Attached is the patch I'm using in Ubuntu.
--
Kees Cook @outflux.net
diff -Nur moin-1.5.3/MoinMoin/action/AttachFile.py moin-1.5.3.new/MoinMoin/action/AttachFile.py
--- moin-1.5.3/MoinMoin/action/AttachFile.py 2006-04-05 11:58:07.000000000 -0700
+++ moin-1.5.3.new/MoinMoin/action/AttachFile.py 2007-02-09 13:03:48.636705206 -0800
@@ -275,7 +275,7 @@
str = str + "</ul>"
else:
if showheader:
- str = '%s<p>%s</p>' % (str, _("No attachments stored for %(pagename)s") % {'pagename': pagename})
+ str = '%s<p>%s</p>' % (str, _("No attachments stored for %(pagename)s") % {'pagename': wikiutil.escape(pagename)})
return str
diff -Nur moin-1.5.3/MoinMoin/action/LikePages.py moin-1.5.3.new/MoinMoin/action/LikePages.py
--- moin-1.5.3/MoinMoin/action/LikePages.py 2006-03-22 01:25:59.000000000 -0800
+++ moin-1.5.3.new/MoinMoin/action/LikePages.py 2007-02-09 13:06:13.428072725 -0800
@@ -28,14 +28,14 @@
# No matches
if not matches:
Page(request, pagename).send_page(request,
- msg = _('No pages like "%s"!') % (pagename,))
+ msg = _('No pages like "%s"!') % (wikiutil.escape(pagename),))
return
# One match - display it
if len(matches) == 1:
Page(request, matches.keys()[0]).send_page(request,
msg = _('Exactly one page like "%s" found, redirecting to page.') % (
- pagename,))
+ wikiutil.escape(pagename),))
return
# more than one match, list 'em
@@ -44,7 +44,7 @@
# This action generate data using the user language
request.setContentLanguage(request.lang)
- wikiutil.send_title(request, _('Pages like "%s"') % (pagename),
+ wikiutil.send_title(request, _('Pages like "%s"') % (wikiutil.escape(pagename)),
pagename=pagename)
# Start content - IMPORTANT - without content div, there is no
diff -Nur moin-1.5.3/MoinMoin/action/LocalSiteMap.py moin-1.5.3.new/MoinMoin/action/LocalSiteMap.py
--- moin-1.5.3/MoinMoin/action/LocalSiteMap.py 2005-09-22 09:22:09.000000000 -0700
+++ moin-1.5.3.new/MoinMoin/action/LocalSiteMap.py 2007-02-09 13:03:48.636705206 -0800
@@ -70,7 +70,7 @@
if not name: return
self.append(' ' * (5*depth))
self.append(' ' + wikiutil.link_tag(request, '%s?action=%s' %
- (wikiutil.quoteWikinameURL(name), __name__.split('.')[-1]), name))
+ (wikiutil.quoteWikinameURL(name), __name__.split('.')[-1]), wikiutil.escape(name)))
self.append(" <small>[")
self.append(Page(request, name).link_to(request, 'view'))
self.append("</small>]<br>")
diff -Nur moin-1.5.3/MoinMoin/action/RenamePage.py moin-1.5.3.new/MoinMoin/action/RenamePage.py
--- moin-1.5.3/MoinMoin/action/RenamePage.py 2005-12-18 13:09:42.000000000 -0800
+++ moin-1.5.3.new/MoinMoin/action/RenamePage.py 2007-02-09 13:03:48.636705206 -0800
@@ -148,7 +148,7 @@
'error': error,
'action': self.__class__.__name__,
'ticket': wikiutil.createTicket(),
- 'pagename': self.pagename,
+ 'pagename': wikiutil.escape(self.pagename, 1),
'rename': _('Rename Page'),
'cancel': _('Cancel'),
'newname_label': _("New name"),
diff -Nur moin-1.5.3/MoinMoin/theme/__init__.py moin-1.5.3.new/MoinMoin/theme/__init__.py
--- moin-1.5.3/MoinMoin/theme/__init__.py 2006-04-15 12:09:38.000000000 -0700
+++ moin-1.5.3.new/MoinMoin/theme/__init__.py 2007-02-09 13:03:48.636705206 -0800
@@ -628,7 +628,7 @@
info = _("last edited %(time)s by %(editor)s") % info
else:
info = _("last modified %(time)s") % info
- pagename = page.page_name
+ pagename = wikiutil.escape(page.page_name)
if self.request.cfg.show_interwiki:
pagename = "%s: %s" % (self.request.cfg.interwikiname, pagename)
info = "%s (%s)" % (pagename, info)
