Reporting Security Issues

If you have a security issue to report or even a security fix to propose, please contact ThomasWaldmann.

Security Fix Announcements

This page is intended for moin package maintainers, moin distributors (see also our Advisory for Distributors) and users interested in receiving security fix notifications.

If you want to receive such notifications via email, just create a user account and subscribe to this page. You will receive an email as soon as someone updates this page.

For each version listed here, we will list important and rather current issues that got fixed after that release. See the page Security Fixes Installation for information on how to apply the fixes.

If this page gets too long over time, we will remove old version information (you can use info action to access this page's history) - if you are interested in security, you should not run stone-age software.

moin 1.9.11

Fixes security issues of 1.9.10.
Fixes CVE-2020-25074 and CVE-2020-15275, details please see there: https://github.com/moinwiki/moin-1.9/releases/tag/1.9.11

moin 1.9.10

Fixes security issues of 1.9.9.
fix for CVE-2017-5934: https://github.com/moinwiki/moin-1.9/commit/70955a8eae091cc88fd9a6e510177e70289ec024

moin 1.9.9

Fixes security issues of 1.9.8.
XSS in GUI editor related code CVE-2017-5934

moin 1.9.8

XSS in AttachFile view (multifile related) CVE-2016-7148
XSS in GUI editor's attachment dialogue CVE-2016-7146
XSS in GUI editor's link dialogue CVE-2016-9119

Fixes issues found in 1.9.7.

moin 1.9.7

XSS in useragent event stats. Fix: http://hg.moinmo.in/moin/1.9/rev/7dd392e803fa
1.9.7 improves security / admin tools for handling the security issues of moin <= 1.9.5:
- 1.9.7 improves password hash security a lot by using passlib and sha512_crypt hashes
- 1.9.7 also adds tools to better deal with resetting/invalidating passwords, notifying users of this, forcing upgrade to more secure hashes for all users, see the resetpw script command.

moin 1.9.6

Fixes security issues of 1.9.5.

moin 1.9.5

$/!\$ $/!\$ path traversal vulnerability in AttachFile action CVE-2012-6080 $/!\$ $/!\$
- Affected: 1.9.3 .. 1.9.5
- Fix: fix path traversal vulnerability in AttachFile action
- If you can't apply the fix yourself, you should follow the instructions given below immediately to prevent your system getting compromised.
  - add 'AttachFile' to the actions_excluded list (instructions see issue below)
  - Note: this will disable all attachment related functionality, so you better apply the fix as soon as possible.
$/!\$ $/!\$ $/!\$ remote code execution vulnerability in twikidraw/anywikidraw action CVE-2012-6081 $/!\$ $/!\$ $/!\$
- Affected: likely all moin 1.9.x versions, including 1.9.5. attacker needs "write" permission.
- Fix: fix remote code execution vulnerability in twikidraw/anywikidraw actions
- BTW, the hacker group using this vulnerability some months ago has now published the exploit code on the web. So if you are still running vulnerable moin code, patch or upgrade now.
- For more infos, please see SecurityFixes/CVE-2012-6081.
$/!\$ fix XSS issue, escape page name in rss link CVE-2012-6082 $/!\$
make taintfilename more secure
- added some more potentially harmful characters to the replacement list
escape user- or admin-defined css url
- maybe harmless, this url is defined by admin or by the wiki user in user preferences
use a constant time str comparison function to prevent timing attacks

Fixes security issues of 1.9.4.

moin 1.9.4

$/!\$ virtual group bug in ACL evaluation CVE-2012-4404 $/!\$
- The bugfix is the small patch for MoinMoin/security/__init__.py.
- The other (bigger) change is only for adding a new unit test to test for correct behaviour (optional).
- Severity: IF you have groups / ACLs that trigger the issue, users might get wrong permissions within the wiki, e.g.:
  - read stuff they should not be allowed to read
  - modify/delete stuff they should not be allowed to modify/delete
  - change ACLs (or use other functionality that checks the "admin" capability) they should not be allowed to change
- Workaround:
  - It depends on the ACLs and groups used in your wiki. For some cases, you won't be affected by the bug at all, for other cases it might be a lot of work to work around the issue.
  - You could use the detailled description linked above to implement YOUR workaround, but we do not recommend this.
  - We recommend to just apply the patch to fix the issue or install a fixed version of moin (as soon as it is available)

Fixes security issues of 1.9.3.

moin 1.9.3

$/!\$ $/!\$ $/!\$ XSLT / 4suite issue (used by xslt parser) $/!\$ $/!\$ $/!\$
- Filesystem access (read/write/overwrite arbitrary path/file as the moin process uid/gid) is possible using xslt/4suite.
- This is kind of a "feature" of xslt/4suite, but of course you don't want that except maybe if you only have very trusted editors and run it in your intranet.
- Work around (put this into wiki config):
  - ```
      allow_xslt = 0
```
- allow_xslt = 0 is the default (so if you do not explicitly set it to a different value, it will be disabled and you are not affected)
- xslt processing depends on 4suite being installed (so even if allow_xslt is trueish, it won't work if 4suite is not installed)
- you can check whether you have content that wants to use xslt parser by doing a full-text search in your wiki for:
  - xslt
  - re:"\<\?xml"
- As this issue is a feature of xslt/4suite, we can't do much about it (we already have it off-by-default, so users are safe-by-default).
- We have documented that enabling xslt is very dangerous. If you have a better idea, contact ThomasWaldmann.
- Thanks to Nicolas Gregoire of Agarri for discovering this xslt/4suite issue.
$/!\$ XSS issue in rst parser CVE-2011-1058
- Fix: remove support for javascript: URLs in the rst parser (dangerous, XSS)
- rst is not the default parser of moin, but available if you have docutils installed.
- If you don't use #format rst (or have rst as default markup), you can work around the issue by:
  - either removing MoinMoin/parser/text_rst.py (that makes rst unavailable)
  - or deinstalling docutils (that makes rst unavailable also)
  - watching changes (diffs) on format rst pages carefully, reverting suspect edits using info action and then revert to a known good version

Fixes security issues of 1.9.2.

moin 1.9.2

XSS by unescaped content emitted by theme.add_msg (CVE-2010-2487). Affected: likely all up to 1.9.2
- fix XSS in template parameter
- fix another potential XSS issue
- fix more potential XSS issues
  The portion of the above that patches MoinMoin/action/RenamePage.py has two problems
  - It doesn't apply directly to the 1.9.2 base because of other changes.
    - Use this diff made against 1.9.2 for applying to 1.9.2 installation: http://paste.pocoo.org/show/221927/ -- EugeneSyromyatnikov 2010-06-04 15:27:17
  - It contains an extraneous merge artifact ">>>>>>> other".
    - This issue (excuse me for my fault) fixed in http://hg.moinmo.in/moin/1.9/rev/60fde500cbc2 -- EugeneSyromyatnikov 2010-06-04 15:27:17
  There is another problem with the above patch. The patch to MoinMoin/action/login.py does not import wikiutil and at least the 1.9.2 base does not have that import. -- MarkSapiro 2010-06-06 02:36:20
  - f8871116c6b3 -- EugeneSyromyatnikov 2010-06-06 05:38:08
fix XSS in Despam action (CVE-2010-0828) - thanks to Jamie Strandboge (Ubuntu) for fixing
- To avoid the issue, please be careful when using Despam action (it is only available for superuser) - please check the page names of the pages to despam first. If they look strange (like containing javascript or html), then don't use Despam to clean them up. If you don't need Despam, you could of course also use actions_excluded to completely disable it.

Fixes security issues of moin 1.9.1:

1.9.2 fixes CVE-2010-0669.
1.9.2 fixes CVE-2010-0668 (and also CVE-2010-0717 which is just another sub-issue of the same issue)

moin 1.9.1

$/!\$ CVE-2010-0669 potential security issue due to incomplete user profile input sanitizing, Affected: all up to 1.9.1
- see superuser configuration hint below
$/!\$ CVE-2010-0668 major security issues were discovered. Some tips for working around the issues.
- Do not have any user names in your superuser list (superuser list is used to give some users special powers). Affected: 1.5.x ... 1.9.1.
```
    superuser = []  # or, even better: just remove superuser definition from all your wiki and farm configs
```
- Exclude (disable) xmlrpc and SyncPages actions.
  - xmlrpc is usually used to access the wiki by scripts over the network, it is disabled by default. Affected: all up to 1.9.1
  - SyncPages is usually used for synchronizing wiki content with other wikis. Affected: 1.6.x ... 1.9.1
```
    actions_excluded = ['xmlrpc', 'MyPages', 'CopyPage', 'SyncPages', ] # MyPages/CopyPage are there due to other concerns.
```
- Do not use OpenID auth code (affected: 1.7.x .. 1.9.1, it is not used by default).
```
    auth = [...] # <-- you should not have openid stuff there (also ok if you do not have any auth configured)
```
1.9.1 fixes CVE-2010-0667.

moin 1.9.0

$/!\$ CVE-2010-0667 Found major security issue in moin 1.9.0 (versions before 1.9 are not affected). If you use 1.9.0, please upgrade to 1.9.1 immediately (1.9.1 has a fix for the issue). More details will follow later. $/!\$

moin versions < 1.9.x

MoinMoin versions older than 1.9.x are not maintained by MoinMoin developers any more.

Thus, they have to be considered vulnerable (except if you specifically know that someone else is really caring for security maintenance).

If you still run an old moin, you should upgrade to 1.9.<latest>.

See the docs folder in the moin download archive for upgrade instructions. If you have troubles while upgrading, don't give up, just contact us for Support.

Note: running moin 1.9.x will also be a requirement for upgrading to moin 2 (after it is released).

MoinMoin: SecurityFixes