Description

There is a possible reflected Cross-Site Scripting attack. An attacker able to cause a user to follow a specially crafted malicious link may be able to recover session identifiers or exploit browser vulnerabilities. The template parameter is vulnerable, as can be seen by navigating to a URL: http://<site>/NonExistantUser?action=edit&template=<script>alert(document.cookie);</script>

Steps to reproduce

navigate to a URL of the form: http://<site>/NonExistantUser?action=edit&template=<script>alert(document.cookie);</script>

Example

URL: http://<site>/NonExistantUser?action=edit&template=<script>alert(document.cookie);</script>

Component selection

add_msg expects correctly escaped input, but it isn't done at all places

Details

MoinMoin Version	1.9.2
OS and Version	Linux
Python Version	2.5
Server Setup	Apache
Server Details	N/A
Language you are using the wiki in (set in the browser/UserPreferences)	N/A

Workaround

   1 diff -r 172146fe48a2 MoinMoin/PageEditor.py
   2 --- a/MoinMoin/PageEditor.py    Tue May 11 23:08:11 2010 +0200
   3 +++ b/MoinMoin/PageEditor.py    Thu Jun 03 12:16:26 2010 +0400
   4 @@ -278,14 +278,15 @@
   5          elif 'template' in request.values:
   6              # If the page does not exist, we try to get the content from the template parameter.
   7              template_page = wikiutil.unquoteWikiname(request.values['template'])
   8 +            template_page_escaped = wikiutil.escape(template_page)
   9              if request.user.may.read(template_page):
  10                  raw_body = Page(request, template_page).get_raw_body()
  11                  if raw_body:
  12 -                    request.theme.add_msg(_("[Content of new page loaded from %s]") % (template_page, ), 'info')
  13 +                    request.theme.add_msg(_("[Content of new page loaded from %s]") % (template_page_escaped, ), 'info')
  14                  else:
  15 -                    request.theme.add_msg(_("[Template %s not found]") % (template_page, ), 'warning')
  16 +                    request.theme.add_msg(_("[Template %s not found]") % (template_page_escaped, ), 'warning')
  17              else:
  18 -                request.theme.add_msg(_("[You may not read %s]") % (template_page, ), 'error')
  19 +                request.theme.add_msg(_("[You may not read %s]") % (template_page_escaped, ), 'error')
  20  
  21          # Make backup on previews - but not for new empty pages
  22          if not use_draft and preview and raw_body:

Discussion

Is there already a CVE assigned for this?

Plan

Priority:
Assigned to:
Status:
- template-param patch from above applied by 68ba3cc79513.
- 1.7 fixed in 37306fba2189 (with f8871116c6b3 adding missed in action/login.py wikiutil module)
- 1.8 fixed in 4238b0c90871 (with bb27a4b9dfe3 adding missed in action/login.py wikiutil module)
- 1.9 fixed in 4fe9951788cb (separate fix for SlideShow action), e50b087c4572 + 60fde500cbc2 (with 282ff1a50c4d adding missed in action/login.py wikiutil module)

CategoryMoinMoinBugFixed

MoinMoin: MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg (last edited 2010-06-07 23:21:00 by customer-static-201-216-254)