Debian Bug report logs -
#462984
python-moinmoin: MOIN_ID cookie bug
Reported by: Eldon Koyle <ekoyle@gmail.com>
Date: Mon, 28 Jan 2008 18:45:05 UTC
Owned by: tv@beamnet.de
Severity: serious
Tags: patch, security
Found in versions moin/1.5.8-5, moin/1.5.3-1.2
Fixed in versions moin/1.5.8-5.1, moin/1.5.3-1.2etch1
Done: Thomas Viehmann <tv@beamnet.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#462984; Package python-moinmoin.
(full text, mbox, link).
Acknowledgement sent to Eldon Koyle <ekoyle@gmail.com>:
New Bug report received and forwarded. Copy sent to Jonas Smedegaard <dr@jones.dk>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-moinmoin
Version: 1.5.8-5
Severity: important
Tags: patch
Allows a malicious user to overwrite files via a bogus cookie. Should
the severety on this be grave?
Example exploit: http://www.milw0rm.com/exploits/4957
Here is the upstream patch, which can also be found at
http://hg.moinmo.in/moin/1.5/rev/e69a16b6e630 :
--- a/MoinMoin/user.py Sun Oct 08 15:06:37 2006 +0200
+++ b/MoinMoin/user.py Sun Jan 20 23:27:48 2008 +0100
@@ -6,7 +6,7 @@
@license: GNU GPL, see COPYING for details.
"""
-import os, time, sha, codecs
+import os, time, sha, codecs, re
try:
import cPickle as pickle
@@ -19,6 +19,7 @@ from MoinMoin import config, caching, wi
from MoinMoin import config, caching, wikiutil
from MoinMoin.util import filesys, timefuncs
+USERID_re = re.compile(r'^\d+\.\d+(\.\d+)?$')
def getUserList(request):
""" Get a list of all (numerical) user IDs.
@@ -27,10 +28,9 @@ def getUserList(request):
@rtype: list
@return: all user IDs
"""
- import re, dircache
- user_re = re.compile(r'^\d+\.\d+(\.\d+)?$')
+ import dircache
files = dircache.listdir(request.cfg.user_dir)
- userlist = [f for f in files if user_re.match(f)]
+ userlist = [f for f in files if USERID_re.match(f)]
return userlist
@@ -210,7 +210,7 @@ class User:
self._cfg = request.cfg
self.valid = 0
self.trusted = 0
- self.id = id
+ self.id = self.id_sanitycheck(id)
self.auth_username = auth_username
self.auth_method = kw.get('auth_method', 'internal')
self.auth_attribs = kw.get('auth_attribs', ())
@@ -298,6 +298,15 @@ class User:
# use it reliably in edit locking
from random import randint
return "%s.%d" % (str(time.time()), randint(0,65535))
+
+ def id_sanitycheck(self, id):
+ """ only return valid user IDs, avoid someone faking his cookie to
+ contain '../../../somefile', breaking out of the data/user/ directory!
+ """
+ if id and USERID_re.match(id):
+ return id
+ else:
+ return None
def create_or_update(self, changed=False):
""" Create or update a user profile
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages python-moinmoin depends on:
ii moinmoin-common 1.5.8-5 Python clone of WikiWiki - common
ii python 2.4.4-6 An interactive high-level object-o
ii python-support 0.7.6 automated rebuilding support for p
Versions of packages python-moinmoin recommends:
ii exim4 4.69-1 meta-package to ease Exim MTA (v4)
ii exim4-daemon-light [mail-tran 4.69-1 lightweight Exim MTA (v4) daemon
-- no debconf information
--
BOFH excuse #345:
Having to manually track the satellite.
Tags added: security
Request was from Eldon Koyle <ekoyle@gmail.com>
to control@bugs.debian.org.
(Fri, 08 Feb 2008 01:39:05 GMT) (full text, mbox, link).
Severity set to `serious' from `important'
Request was from Eldon Koyle <ekoyle@gmail.com>
to control@bugs.debian.org.
(Fri, 08 Feb 2008 01:39:06 GMT) (full text, mbox, link).
Bug marked as found in version 1.5.3-1.2.
Request was from Eldon Koyle <ekoyle@gmail.com>
to control@bugs.debian.org.
(Tue, 12 Feb 2008 02:39:04 GMT) (full text, mbox, link).
Owner recorded as tv@beamnet.de.
Request was from tv@beamnet.de (Thomas Viehmann)
to control@bugs.debian.org.
(Tue, 12 Feb 2008 21:12:54 GMT) (full text, mbox, link).
Owner changed from tv@beamnet.de to tv@beamnet.de.
Request was from Thomas Viehmann <tv@beamnet.de>
to control@bugs.debian.org.
(Tue, 12 Feb 2008 21:14:05 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>, tv@beamnet.de:
Bug#462984; Package python-moinmoin.
(full text, mbox, link).
Acknowledgement sent to Thomas Viehmann <tv@beamnet.de>:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>, tv@beamnet.de.
(full text, mbox, link).
Message #20 received at 462984@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
as discussed in private mail, here is the NMU.
Kind regards
T.
[moin_1.5.8-5.1.nmu.diff (text/plain, attachment)]
Reply sent to Thomas Viehmann <tv@beamnet.de>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Eldon Koyle <ekoyle@gmail.com>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #25 received at 462984-close@bugs.debian.org (full text, mbox, reply):
Source: moin
Source-Version: 1.5.8-5.1
We believe that the bug you reported is fixed in the latest version of
moin, which is due to be installed in the Debian FTP archive:
moin_1.5.8-5.1.diff.gz
to pool/main/m/moin/moin_1.5.8-5.1.diff.gz
moin_1.5.8-5.1.dsc
to pool/main/m/moin/moin_1.5.8-5.1.dsc
moinmoin-common_1.5.8-5.1_all.deb
to pool/main/m/moin/moinmoin-common_1.5.8-5.1_all.deb
python-moinmoin_1.5.8-5.1_all.deb
to pool/main/m/moin/python-moinmoin_1.5.8-5.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 462984@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Viehmann <tv@beamnet.de> (supplier of updated moin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 19 Feb 2008 22:38:10 +0100
Source: moin
Binary: moinmoin-common python-moinmoin
Architecture: source all
Version: 1.5.8-5.1
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Thomas Viehmann <tv@beamnet.de>
Description:
moinmoin-common - Python clone of WikiWiki - common data
python-moinmoin - Python clone of WikiWiki - library
Closes: 462984
Changes:
moin (1.5.8-5.1) unstable; urgency=high
.
* NMU with maintainer consent, urgency for security updates
* update upstream patches to moin-1.5 branch revision 856 to fix bugs
+ cross-site scripting vulnerabilities using AttachFile,
CVE-2008-0781
+ directory traversal in MOIN_ID cookie vulnerability,
CVE-2008-0782 (Closes: #462984)
+ XSS problem in login, CVE-2008-780
Files:
7703f3d6a17120559018ef203c22e9a2 879 net optional moin_1.5.8-5.1.dsc
197373b40368686f7d808b582a5676b7 60044 net optional moin_1.5.8-5.1.diff.gz
de66d9910702137efae93d1c4b2d909d 1669978 net optional moinmoin-common_1.5.8-5.1_all.deb
dc55bb027970948f3c1cca2b5c7c342f 1016896 python optional python-moinmoin_1.5.8-5.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHuy+JriZpaaIa1PkRAnUXAKD0EnLrCRHGto1aSLcBmS1nzAjqagCdHcFA
zzyebRD+FIGthmam8641aIQ=
=KAPe
-----END PGP SIGNATURE-----
Reply sent to Thomas Viehmann <tv@beamnet.de>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Eldon Koyle <ekoyle@gmail.com>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #30 received at 462984-close@bugs.debian.org (full text, mbox, reply):
Source: moin
Source-Version: 1.5.3-1.2etch1
We believe that the bug you reported is fixed in the latest version of
moin, which is due to be installed in the Debian FTP archive:
moin_1.5.3-1.2etch1.diff.gz
to pool/main/m/moin/moin_1.5.3-1.2etch1.diff.gz
moin_1.5.3-1.2etch1.dsc
to pool/main/m/moin/moin_1.5.3-1.2etch1.dsc
moinmoin-common_1.5.3-1.2etch1_all.deb
to pool/main/m/moin/moinmoin-common_1.5.3-1.2etch1_all.deb
python-moinmoin_1.5.3-1.2etch1_all.deb
to pool/main/m/moin/python-moinmoin_1.5.3-1.2etch1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 462984@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Viehmann <tv@beamnet.de> (supplier of updated moin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 15 Feb 2008 23:01:17 +0100
Source: moin
Binary: moinmoin-common python-moinmoin
Architecture: source all
Version: 1.5.3-1.2etch1
Distribution: stable-security
Urgency: high
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Thomas Viehmann <tv@beamnet.de>
Description:
moinmoin-common - Python clone of WikiWiki - common data
python-moinmoin - Python clone of WikiWiki - library
Closes: 403363 422408 462984
Changes:
moin (1.5.3-1.2etch1) stable-security; urgency=high
.
* Non-maintainer upload.
* Adding patches from BTS / upstream up to changeset 856 db212dfc58ef
+ cross-site scripting vulnerabilities using AttachFile,
CVE-2007-2423, CVE-2008-0781
+ missing access control checks for includes and calendars,
CVE-2007-2637 (Closes: #422408)
+ directory traversal in MOIN_ID cookie vulnerability,
CVE-2008-0782 (Closes: #462984)
+ XSS problem in login (CVE-2008-780)
+ XSS problem in gui editor
+ XSS problem in delete page
+ ACL check for dictionaries
+ fix password reminder mails (Closes: #403363)
Files:
e95ec46ee8de9527a39793108de22f7d 4187091 net optional moin_1.5.3.orig.tar.gz
0650a6782cb8b11d99fbfa40378c1dfb 663 net optional moin_1.5.3-1.2etch1.dsc
13984aca140b63e2303a6034fcd4f9ec 40942 net optional moin_1.5.3-1.2etch1.diff.gz
2cd40d664082f835b2def29629ff58e8 1596522 net optional moinmoin-common_1.5.3-1.2etch1_all.deb
0a8dba5cff0e5540e4e55d39855316d4 915318 python optional python-moinmoin_1.5.3-1.2etch1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHvLaDriZpaaIa1PkRAnriAKD8v7t6OHkf3/s8foUg24cMRrQeogCgh5dT
AjhnulcQ/X22VvVOIuJApVI=
=aWyH
-----END PGP SIGNATURE-----
Reply sent to Thomas Viehmann <tv@beamnet.de>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Eldon Koyle <ekoyle@gmail.com>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #35 received at 462984-close@bugs.debian.org (full text, mbox, reply):
Source: moin
Source-Version: 1.5.3-1.2etch1
We believe that the bug you reported is fixed in the latest version of
moin, which is due to be installed in the Debian FTP archive:
moin_1.5.3-1.2etch1.diff.gz
to pool/main/m/moin/moin_1.5.3-1.2etch1.diff.gz
moin_1.5.3-1.2etch1.dsc
to pool/main/m/moin/moin_1.5.3-1.2etch1.dsc
moinmoin-common_1.5.3-1.2etch1_all.deb
to pool/main/m/moin/moinmoin-common_1.5.3-1.2etch1_all.deb
python-moinmoin_1.5.3-1.2etch1_all.deb
to pool/main/m/moin/python-moinmoin_1.5.3-1.2etch1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 462984@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Viehmann <tv@beamnet.de> (supplier of updated moin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 15 Feb 2008 23:01:17 +0100
Source: moin
Binary: moinmoin-common python-moinmoin
Architecture: source all
Version: 1.5.3-1.2etch1
Distribution: stable-security
Urgency: high
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Thomas Viehmann <tv@beamnet.de>
Description:
moinmoin-common - Python clone of WikiWiki - common data
python-moinmoin - Python clone of WikiWiki - library
Closes: 403363 422408 462984
Changes:
moin (1.5.3-1.2etch1) stable-security; urgency=high
.
* Non-maintainer upload.
* Adding patches from BTS / upstream up to changeset 856 db212dfc58ef
+ cross-site scripting vulnerabilities using AttachFile,
CVE-2007-2423, CVE-2008-0781
+ missing access control checks for includes and calendars,
CVE-2007-2637 (Closes: #422408)
+ directory traversal in MOIN_ID cookie vulnerability,
CVE-2008-0782 (Closes: #462984)
+ XSS problem in login (CVE-2008-780)
+ XSS problem in gui editor
+ XSS problem in delete page
+ ACL check for dictionaries
+ fix password reminder mails (Closes: #403363)
Files:
e95ec46ee8de9527a39793108de22f7d 4187091 net optional moin_1.5.3.orig.tar.gz
0650a6782cb8b11d99fbfa40378c1dfb 663 net optional moin_1.5.3-1.2etch1.dsc
13984aca140b63e2303a6034fcd4f9ec 40942 net optional moin_1.5.3-1.2etch1.diff.gz
2cd40d664082f835b2def29629ff58e8 1596522 net optional moinmoin-common_1.5.3-1.2etch1_all.deb
0a8dba5cff0e5540e4e55d39855316d4 915318 python optional python-moinmoin_1.5.3-1.2etch1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHvLaDriZpaaIa1PkRAnriAKD8v7t6OHkf3/s8foUg24cMRrQeogCgh5dT
AjhnulcQ/X22VvVOIuJApVI=
=aWyH
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Aug 2008 07:35:22 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Jan 11 23:13:18 2018;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.