Bug#410338: marked as done (CVE-2007-0857: pagename XSS)
Your message dated Tue, 27 Feb 2007 09:47:03 +
with message-id <[EMAIL PROTECTED]>
and subject line Bug#410338: fixed in moin 1.5.3-1.2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: moin
Version: 1.5.3-1.1
Severity: important
Tags: patch, security
"Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin before
1.5.7 allow remote attackers to inject arbitrary web script or HTML via
(1) the page info, or the page name in a (2) AttachFile, (3) RenamePage,
or (4) LocalSiteMap action."
The upstream changes are visible here:
http://hg.thinkmo.de/moin/1.5?fl=28eb59256911;file=docs/CHANGES
However, LikePages was missed, and the upstream LocalSiteMap fix appears
to be incomplete. Attached is the patch I'm using in Ubuntu.
--
Kees Cook@outflux.net
diff -Nur moin-1.5.3/MoinMoin/action/AttachFile.py moin-1.5.3.new/MoinMoin/action/AttachFile.py
--- moin-1.5.3/MoinMoin/action/AttachFile.py 2006-04-05 11:58:07.0 -0700
+++ moin-1.5.3.new/MoinMoin/action/AttachFile.py 2007-02-09 13:03:48.636705206 -0800
@@ -275,7 +275,7 @@
str = str + ""
else:
if showheader:
-str = '%s%s' % (str, _("No attachments stored for %(pagename)s") % {'pagename': pagename})
+str = '%s%s' % (str, _("No attachments stored for %(pagename)s") % {'pagename': wikiutil.escape(pagename)})
return str
diff -Nur moin-1.5.3/MoinMoin/action/LikePages.py moin-1.5.3.new/MoinMoin/action/LikePages.py
--- moin-1.5.3/MoinMoin/action/LikePages.py 2006-03-22 01:25:59.0 -0800
+++ moin-1.5.3.new/MoinMoin/action/LikePages.py 2007-02-09 13:06:13.428072725 -0800
@@ -28,14 +28,14 @@
# No matches
if not matches:
Page(request, pagename).send_page(request,
-msg = _('No pages like "%s"!') % (pagename,))
+msg = _('No pages like "%s"!') % (wikiutil.escape(pagename),))
return
# One match - display it
if len(matches) == 1:
Page(request, matches.keys()[0]).send_page(request,
msg = _('Exactly one page like "%s" found, redirecting to page.') % (
-pagename,))
+wikiutil.escape(pagename),))
return
# more than one match, list 'em
@@ -44,7 +44,7 @@
# This action generate data using the user language
request.setContentLanguage(request.lang)
-wikiutil.send_title(request, _('Pages like "%s"') % (pagename),
+wikiutil.send_title(request, _('Pages like "%s"') % (wikiutil.escape(pagename)),
pagename=pagename)
# Start content - IMPORTANT - without content div, there is no
diff -Nur moin-1.5.3/MoinMoin/action/LocalSiteMap.py moin-1.5.3.new/MoinMoin/action/LocalSiteMap.py
--- moin-1.5.3/MoinMoin/action/LocalSiteMap.py 2005-09-22 09:22:09.0 -0700
+++ moin-1.5.3.new/MoinMoin/action/LocalSiteMap.py 2007-02-09 13:03:48.636705206 -0800
@@ -70,7 +70,7 @@
if not name: return
self.append(' ' * (5*depth))
self.append(' ' + wikiutil.link_tag(request, '%s?action=%s' %
-(wikiutil.quoteWikinameURL(name), __name__.split('.')[-1]), name))
+(wikiutil.quoteWikinameURL(name), __name__.split('.')[-1]), wikiutil.escape(name)))
self.append(" [")
self.append(Page(request, name).link_to(request, 'view'))
self.append("]")
diff -Nur moin-1.5.3/MoinMoin/action/RenamePage.py moin-1.5.3.new/MoinMoin/action/RenamePage.py
--- moin-1.5.3/MoinMoin/action/RenamePage.py 2005-12-18 13:09:42.0 -0800
+++ moin-1.5.3.new/MoinMoin/action/RenamePage.py 2007-02-09 13:03:48.636705206 -0800
@@ -148,7 +148,7 @@
'error': error,
'action': self.__class__.__name__,
'ticket': wikiutil.createTicket(),
-'pagename': self.pagename,
+'pagename': wikiutil.escape(self.pagename, 1),
'rename': _('Rename Page'),
'cancel': _('Cancel'),
'newname_label': _("New name"),
diff -Nur moin-1.5.3/MoinMoin/theme/__init__.py moin-1.5.3.new/MoinMoin/theme/__init__.py
--- moin-1.5.3/MoinMoin/theme/__init__.py 2006-04-15 12:09:38.0 -0700
+++ moin-1.5.3.new/MoinMoin/theme/__init__.py 2007-02-09 13:03:48.636705206 -0800
@@ -628,7 +628,7 @@
info = _("last edited %(time)s by %(editor)s") % info
else:
info = _("last modified %(time)s") % info
-pagename = page.page_name
+pagename = wikiut
Bug#410338: marked as done (CVE-2007-0857: pagename XSS)
Your message dated Sat, 17 Mar 2007 08:32:03 +
with message-id <[EMAIL PROTECTED]>
and subject line Bug#410338: fixed in moin 1.5.7-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: moin
Version: 1.5.3-1.1
Severity: important
Tags: patch, security
"Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin before
1.5.7 allow remote attackers to inject arbitrary web script or HTML via
(1) the page info, or the page name in a (2) AttachFile, (3) RenamePage,
or (4) LocalSiteMap action."
The upstream changes are visible here:
http://hg.thinkmo.de/moin/1.5?fl=28eb59256911;file=docs/CHANGES
However, LikePages was missed, and the upstream LocalSiteMap fix appears
to be incomplete. Attached is the patch I'm using in Ubuntu.
--
Kees Cook@outflux.net
diff -Nur moin-1.5.3/MoinMoin/action/AttachFile.py moin-1.5.3.new/MoinMoin/action/AttachFile.py
--- moin-1.5.3/MoinMoin/action/AttachFile.py 2006-04-05 11:58:07.0 -0700
+++ moin-1.5.3.new/MoinMoin/action/AttachFile.py 2007-02-09 13:03:48.636705206 -0800
@@ -275,7 +275,7 @@
str = str + ""
else:
if showheader:
-str = '%s%s' % (str, _("No attachments stored for %(pagename)s") % {'pagename': pagename})
+str = '%s%s' % (str, _("No attachments stored for %(pagename)s") % {'pagename': wikiutil.escape(pagename)})
return str
diff -Nur moin-1.5.3/MoinMoin/action/LikePages.py moin-1.5.3.new/MoinMoin/action/LikePages.py
--- moin-1.5.3/MoinMoin/action/LikePages.py 2006-03-22 01:25:59.0 -0800
+++ moin-1.5.3.new/MoinMoin/action/LikePages.py 2007-02-09 13:06:13.428072725 -0800
@@ -28,14 +28,14 @@
# No matches
if not matches:
Page(request, pagename).send_page(request,
-msg = _('No pages like "%s"!') % (pagename,))
+msg = _('No pages like "%s"!') % (wikiutil.escape(pagename),))
return
# One match - display it
if len(matches) == 1:
Page(request, matches.keys()[0]).send_page(request,
msg = _('Exactly one page like "%s" found, redirecting to page.') % (
-pagename,))
+wikiutil.escape(pagename),))
return
# more than one match, list 'em
@@ -44,7 +44,7 @@
# This action generate data using the user language
request.setContentLanguage(request.lang)
-wikiutil.send_title(request, _('Pages like "%s"') % (pagename),
+wikiutil.send_title(request, _('Pages like "%s"') % (wikiutil.escape(pagename)),
pagename=pagename)
# Start content - IMPORTANT - without content div, there is no
diff -Nur moin-1.5.3/MoinMoin/action/LocalSiteMap.py moin-1.5.3.new/MoinMoin/action/LocalSiteMap.py
--- moin-1.5.3/MoinMoin/action/LocalSiteMap.py 2005-09-22 09:22:09.0 -0700
+++ moin-1.5.3.new/MoinMoin/action/LocalSiteMap.py 2007-02-09 13:03:48.636705206 -0800
@@ -70,7 +70,7 @@
if not name: return
self.append(' ' * (5*depth))
self.append(' ' + wikiutil.link_tag(request, '%s?action=%s' %
-(wikiutil.quoteWikinameURL(name), __name__.split('.')[-1]), name))
+(wikiutil.quoteWikinameURL(name), __name__.split('.')[-1]), wikiutil.escape(name)))
self.append(" [")
self.append(Page(request, name).link_to(request, 'view'))
self.append("]")
diff -Nur moin-1.5.3/MoinMoin/action/RenamePage.py moin-1.5.3.new/MoinMoin/action/RenamePage.py
--- moin-1.5.3/MoinMoin/action/RenamePage.py 2005-12-18 13:09:42.0 -0800
+++ moin-1.5.3.new/MoinMoin/action/RenamePage.py 2007-02-09 13:03:48.636705206 -0800
@@ -148,7 +148,7 @@
'error': error,
'action': self.__class__.__name__,
'ticket': wikiutil.createTicket(),
-'pagename': self.pagename,
+'pagename': wikiutil.escape(self.pagename, 1),
'rename': _('Rename Page'),
'cancel': _('Cancel'),
'newname_label': _("New name"),
diff -Nur moin-1.5.3/MoinMoin/theme/__init__.py moin-1.5.3.new/MoinMoin/theme/__init__.py
--- moin-1.5.3/MoinMoin/theme/__init__.py 2006-04-15 12:09:38.0 -0700
+++ moin-1.5.3.new/MoinMoin/theme/__init__.py 2007-02-09 13:03:48.636705206 -0800
@@ -628,7 +628,7 @@
info = _("last edited %(time)s by %(editor)s") % info
else:
info = _("last modified %(time)s") % info
-pagename = page.page_name
+pagename = wikiutil
