Description

DeletePage action uses insecure validation:

1. The form uses POST correctly, but the action does not validate the request method. It should execute only for POST requests, and return a form for GET requests.
2. The same ticket is used for the whole wiki and for all actions. An attacker can simply get a ticket from one of the actions that use a ticket, and the destroy the whole wiki using the same ticket.

   • The code says:

             # Require a valid ticket. Make outside attacks harder by
             # requiring two full HTTP transactions

     But the attacker needs only n + 2 (create account, get ticket) requests to delete n pages

Steps to reproduce

Click this link: http://moinmoin.wikiwikiweb.de/MoinMoinBugs/DeletePageUsesInsecure?action=DeletePage&delete=Delete&ticket=0045b6e128.8e3bb64abe69a2453fd550b404caa536061cac7f

This link will work for the next 10 hours, due to ticket lifetime limit.

Component selection

• general

Details

This Wiki and earlyer versions.

Workaround

Disable DeletePage action.

Discussion

The fix is quite simple:

1. Add the page name to the ticket
2. Add the action name to the ticket
3. If request method, is not POST, return the form with an error.

Looks like it could be fixed in ActionBase, without changing concrete actions.

Plan

• Priority: Medium
• Assigned to:

• Status: added pagename and action to the ticket, in 1.7: http://hg.moinmo.in/moin/1.7/rev/3318504c5dd5

CategoryMoinMoinBugFixed