Description

A XSS issue has been found in the code that is used to feed the GUI editor.

The erroneous code enables to put arbitrary html into the editor area of the gui editor, including Javascript code.

Component selection

Details

MoinMoin Version

likely all since gui editor was introduced, including 1.5.8, 1.6dev, 1.7dev

OS and Version

all

Python Version

all

Workaround

To avoid users easily going into this trap, you could just disable the gui editor:

    editor_force = True
    editor_default = 'text'  # internal default, just for completeness

/!\ Please note that there are other means to call the gui editor formatter (e.g. via a specially prepared URL), so while this avoids calling the problematic code via the UI, it doesn't help against users following specially prepared URLs they got via mail or on a wiki page.

If you have disabled the GUI editor, you can try just removing MoinMoin/formatter/text_gedit.py* to be safe.

Discussion

Might get into a 1.5.9 release later.

For now, please apply those patches:

Plan


CategoryMoinMoinBugFixed

MoinMoin: MoinMoinBugs/XssWithGuiEditor (last edited 2009-06-30 13:15:01 by aktaia)