Description

There is a possible reflected Cross-Site Scripting attack. An attacker able to cause a user to follow a specially crafted malicious link may be able to recover session identifiers or exploit browser vulnerabilities. The template parameter is vulnerable, as can be seen by navigating to a URL: http://<site>/NonExistantUser?action=edit&template=<script>alert(document.cookie);</script>

Steps to reproduce

  1. navigate to a URL of the form: http://<site>/NonExistantUser?action=edit&template=<script>alert(document.cookie);</script>

Example

URL: http://<site>/NonExistantUser?action=edit&template=<script>alert(document.cookie);</script>

Component selection

Details

MoinMoin Version

1.9.2

OS and Version

Linux

Python Version

2.5

Server Setup

Apache

Server Details

N/A

Language you are using the wiki in (set in the browser/UserPreferences)

N/A

Workaround

   1 diff -r 172146fe48a2 MoinMoin/PageEditor.py
   2 --- a/MoinMoin/PageEditor.py    Tue May 11 23:08:11 2010 +0200
   3 +++ b/MoinMoin/PageEditor.py    Thu Jun 03 12:16:26 2010 +0400
   4 @@ -278,14 +278,15 @@
   5          elif 'template' in request.values:
   6              # If the page does not exist, we try to get the content from the template parameter.
   7              template_page = wikiutil.unquoteWikiname(request.values['template'])
   8 +            template_page_escaped = wikiutil.escape(template_page)
   9              if request.user.may.read(template_page):
  10                  raw_body = Page(request, template_page).get_raw_body()
  11                  if raw_body:
  12 -                    request.theme.add_msg(_("[Content of new page loaded from %s]") % (template_page, ), 'info')
  13 +                    request.theme.add_msg(_("[Content of new page loaded from %s]") % (template_page_escaped, ), 'info')
  14                  else:
  15 -                    request.theme.add_msg(_("[Template %s not found]") % (template_page, ), 'warning')
  16 +                    request.theme.add_msg(_("[Template %s not found]") % (template_page_escaped, ), 'warning')
  17              else:
  18 -                request.theme.add_msg(_("[You may not read %s]") % (template_page, ), 'error')
  19 +                request.theme.add_msg(_("[You may not read %s]") % (template_page_escaped, ), 'error')
  20  
  21          # Make backup on previews - but not for new empty pages
  22          if not use_draft and preview and raw_body:

Discussion

Is there already a CVE assigned for this?

Plan


CategoryMoinMoinBugFixed

MoinMoin: MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg (last edited 2010-06-07 23:21:00 by customer-static-201-216-254)