Description

quicklinks allows PHP code to be entered into a user's profile, which could be leveraged to allow code execution if the web server also supports PHP (eg, it also contains a PHP application with a local file include vulnerability).

Steps to reproduce

Create / edit a user profile and enter "<?php system(id) ?>" for a quicklink. Then look at the contents of the user's profile and you'll see:

• quicklinks=<?php system(id) ?>

Component selection

• general

Details

Workaround

Discussion

Please add more details, especially about how that PHP code gets executed.

Did you publish your data directory by your webserver (by putting data_dir under documentroot?). Note that this would be a configuration we do warn about in our documentation and one that has all sorts of problems (e.g. you can access acl protected wiki pages, you can access all user account data including encrypted passwords, etc.).

• The location of the data_dir is not important; what is important is that an attacker has a way to get PHP code into a file on a remote host; then. If there's a local file include vulnerability in some PHP app that's also installed, an attacker can use directory traversal sequences to access a MoinMoin user profile with PHP code, causing it to be executed.

  Note that this isn't a vulnerability in MoinMoin per se, but it could help an attacker compromise a web server on which MoinMoin is installed.

  Why don't you put the php code just onto a wiki page then? That would be far easier and also end in a file. Well, if that's all, I think about closing this bug, because it is no moin problem if your php stuff has such problems. -- ThomasWaldmann 2008-01-24 15:05:16

Plan

• Priority:
• Assigned to:
• Status: not a moin problem, but a problem of webserver/php configuration (and note that you must not put your data_dir under documentroot or somewhere else where the web server serves files and/or executes php files)

CategoryMoinMoinNoBug