Security Fix Announcements

This page is intended for moin package maintainers, moin distributors (see also our Advisory for Distributors) and users interested in receiving security fix notifications.

If you want to receive such notifications via email, just create a user account and subscribe to this page. You will receive an email as soon as someone updates this page.

For each version listed here, we will list important and rather current issues that got fixed after that release. See the page Security Fixes Installation for information on how to apply the fixes.

If this page gets too long over time, we will remove old version information (you can use info action to access this page's history) - if you are interested in security, you should not run stone-age software.

moin 1.9.3

None yet.

Fixes security issues of 1.9.2.

moin 1.9.2

• XSS by unescaped content emitted by theme.add_msg (CVE-2010-2487). Affected: likely all up to 1.9.2

  • fix XSS in template parameter

  • fix another potential XSS issue

  • fix more potential XSS issues
    The portion of the above that patches MoinMoin/action/RenamePage.py has two problems

    • It doesn't apply directly to the 1.9.2 base because of other changes.

      • Use this diff made against 1.9.2 for applying to 1.9.2 installation: http://paste.pocoo.org/show/221927/ -- EugeneSyromyatnikov 2010-06-04 15:27:17

    • It contains an extraneous merge artifact ">>>>>>> other".

      • This issue (excuse me for my fault) fixed in http://hg.moinmo.in/moin/1.9/rev/60fde500cbc2 -- EugeneSyromyatnikov 2010-06-04 15:27:17

    There is another problem with the above patch. The patch to MoinMoin/action/login.py does not import wikiutil and at least the 1.9.2 base does not have that import. -- MarkSapiro 2010-06-06 02:36:20

    • f8871116c6b3 -- EugeneSyromyatnikov 2010-06-06 05:38:08

• fix XSS in Despam action (CVE-2010-0828) - thanks to Jamie Strandboge (Ubuntu) for fixing

  • To avoid the issue, please be careful when using Despam action (it is only available for superuser) - please check the page names of the pages to despam first. If they look strange (like containing javascript or html), then don't use Despam to clean them up. If you don't need Despam, you could of course also use actions_excluded to completely disable it.

Fixes security issues of moin 1.9.1:

• 1.9.2 fixes CVE-2010-0669.
• 1.9.2 fixes CVE-2010-0668 (and also CVE-2010-0717 which is just another sub-issue of the same issue)

moin 1.9.1

• CVE-2010-0669 potential security issue due to incomplete user profile input sanitizing, Affected: all up to 1.9.1

  • see superuser configuration hint below

• CVE-2010-0668 major security issues were discovered. Some tips for working around the issues.

  • Do not have any user names in your superuser list (superuser list is used to give some users special powers). Affected: 1.5.x ... 1.9.1.

        superuser = []  # or, even better: just remove superuser definition from all your wiki and farm configs

  • Exclude (disable) xmlrpc and SyncPages actions.

    • xmlrpc is usually used to access the wiki by scripts over the network, it is disabled by default. Affected: all up to 1.9.1

    • SyncPages is usually used for synchronizing wiki content with other wikis. Affected: 1.6.x ... 1.9.1

        actions_excluded = ['xmlrpc', 'MyPages', 'CopyPage', 'SyncPages', ] # MyPages/CopyPage are there due to other concerns.

  • Do not use OpenID auth code (affected: 1.7.x .. 1.9.1, it is not used by default).

        auth = [...] # <-- you should not have openid stuff there (also ok if you do not have any auth configured)

• 1.9.1 fixes CVE-2010-0667.

moin 1.9.0

• CVE-2010-0667 Found major security issue in moin 1.9.0 (versions before 1.9 are not affected). If you use 1.9.0, please upgrade to 1.9.1 immediately (1.9.1 has a fix for the issue). More details will follow later.

moin 1.8.8

None yet.

Fixes security issues of 1.8.7:

• XSS by unescaped content emitted by theme.add_msg

• CVE-2010-0828

moin 1.8.7

• XSS by unescaped content emitted by theme.add_msg. Affected: likely all up to 1.9.2

  • Fixing security issues related to MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg (possible XSS)

  • see 1.9.2 for more info

• fix XSS in Despam action (CVE-2010-0828) - thanks to Jamie Strandboge (Ubuntu) for fixing

  • see 1.9.2 for advice

Fixes security issues of moin 1.8.6:

• 1.8.7 fixes CVE-2010-0668 (and also CVE-2010-0717 which is just another sub-issue of the same issue)
• 1.8.7 fixes CVE-2010-0669

moin 1.8.6

See moin 1.9.1.

moin 1.8.4

• This is not about a security fix done by us, but just a note: The issue in FCKeditor's filemanager does not affect moin (although we bundle the vulnerable FCKeditor code), because we do not use the filemanager and it is disabled in the config files we distribute. We do not distribute the _samples directory in recent moin versions. We'll likely include the non-vulnerable version of FCKeditor later, but there seems to be no need for an emergency maintenance release of moin right now.

moin 1.8.3

• hierarchical ACL security fix

moin 1.8.2

• AttachFile XSS fixes: move escaping to error_msg / upload_form

• AttachFile move: add more escaping (maybe not XSS exploitable though)

moin 1.8.1

• Fix AttachFile XSS issues

• Fix other AttachFile XSS issues

• Fix antispam XSS issue

moin 1.8.0

None yet.

moin 1.7.3

• XSS by unescaped content emitted by theme.add_msg. Affected: likely all up to 1.9.2

  • Fixing security issues related to MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg (possible XSS)

  • see 1.9.2 for more info

• fix XSS in Despam action (CVE-2010-0828) - thanks to Jamie Strandboge (Ubuntu) for fixing

  • see 1.9.2 for advice
• See moin 1.9.1.

• hierarchical ACL security fix

• AttachFile move: add more escaping (maybe not XSS exploitable though)

• AttachFile XSS fixes: move escaping to error_msg / upload_form

• Fix AttachFile XSS issues

• Fix other AttachFile XSS issues

• Fix antispam XSS issue

moin 1.7.2

None yet.

moin 1.7.1

• Fix for file handle leakage (could be used for DOS), if you apply this, please also apply that.

moin 1.7.0

• XSS security fix for advanced search form: added escaping (thanks to Emanuele Gentili from Ubuntu for discovering the problem)

moin 1.6.4

There will be no fixes in the 1.6 branch after 1.6.4. Please upgrade to a recent moin version if you like bug and security fixes.

moin 1.6.3

• XSS security fix for advanced search form: added escaping (thanks to Emanuele Gentili from Ubuntu for discovering the problem)

moin 1.6.2

• Major ACL/superuser privilege escalation fix - fixed in 1.6.3. Urgently upgrade if you use ACLs or a non-empty superuser list.

  • If you use moin 1.6.0/1.6.1/1.6.2, especially if you are using ACLs (other than for Known: and All:) or if you have a non-empty superuser list, please follow this advice:
    1. clear your superuser list immediately NOW (e.g. in wikiconfig):

          superuser = []

       • Note: for farm-like setups with config inheritance it might be not enough to comment it out - it could be set to a non-empty list in a config your inherit from, so better assign the empty list.

    2. if you have very sensitive content in your wiki (e.g. secret stuff that must not be read by the unauthorized people or stuff were write access is very critical, even if logged), it is suggested that you either take away the critical access or shut the wiki down until you have installed the fix.

       • E.g. if write access is critical, but reading is allowed for everybody:

             acl_rights_before = u"All:read" # everybody can read everything,
                                             # but noone can write

    3. You have to restart your web server after making those changes.
    4. Watch those pages (if you have an account on the moinmo.in wiki, you can subscribe to the pages and you will be notified by email when they are changed):

       • http://moinmo.in/ <-- used for release announcements

       • http://moinmo.in/SecurityFixes <-- for security fix news

    5. Download and upgrade to 1.6.3, restart your web server.

    6. Check that 1.6.3 is active (see SystemInfo page).

    7. Make sure that no duplicate accounts exist (esp. not for the names of the powerful users in your wiki, see the superuser list, see ACLs). If you find duplicates (use grep in your <data_dir>/user directory, make sure there is only one enabled and correct account per username. Especially have a look at NEW accounts.

    8. You can restore your previous acl_rights_* setup and also your superuser list.
  • Note: moin 1.5.x is (as far as we know) not affected by this bug, but if you are still running 1.5.x you should also consider upgrading as 1.5.9 was the last 1.5.x release and there won't be any updates/fixes for 1.5 any more.
  • We are really sorry about this (the code change [it was a fix for another bug] that caused this looked really harmless, but while fixing that other bug, it poked a even bigger hole into security in a quite unexpected way).

• ACL security fix for acl_hierarchic=True mode, see also MoinMoinBugs/AclHierarchicPageAclSupercededByAclRightsAfter

moin 1.6.1

• check the ACL of the included page when using the rst parser's include directive

• cracklib segfaulting - DOS, security implications unclear

moin 1.6.0

• XSS fix for login action, thanks to Fernando Quintero for reporting this (port from 1.5)

• fixed su user trouble

moin 1.5.9

There will be no fixes in the 1.5 branch after 1.5.9. Please upgrade to a recent moin version if you like bug and security fixes.

moin 1.5.8

• fix XSS issues in AttachFile action

• Security fix: only accept valid user IDs from the cookie

• XSS fix for login action, thanks to Fernando Quintero for reporting this

• respect ACLs when sending <link rel=Appendix ...> for attachments

• Fixed XSS issue in RenamePage/DeletePage action

• wikimacro._macro_GetVal: bug fix respect ACLs on page

• fix gui editor formatter XSS issues

• if attachment upload uses overwrite mode, we have to check for delete rights, not only for write rights

The bugs listed above for 1.5.8 are fixed in 1.5.9.

moin 1.5.7

• check the ACL of the included page when using the rst parser's include directive