Date: Fri, 23 Jan 2009 18:09:37 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/130916: [vuxml] [patch] www/moinmoin: fix XSS in the AttachFile module Message-ID: <20090123150937.7DA89DA831@void.codelabs.ru> Resent-Message-ID: <200901231510.n0NFA2n5082575@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 130916 >Category: ports >Synopsis: [vuxml] [patch] www/moinmoin: fix XSS in the AttachFile module >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jan 23 15:10:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-STABLE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-STABLE amd64 >Description: R&D team from SecureState discovered cross-site scripting issue in MoinMoin <= 1.8.0 [1] [1] http://www.securityfocus.com/archive/1/500197/30/0/threaded >How-To-Repeat: Look at the above URL and try to use the query string from it to test your MoinMoin installation. >Fix: The following patch adds upstream fix to the current port version, 1.8.0. I had tested it on my MoinMoin installation: works fine, XSS via the query string provided in the advisory is gone. --- fix-rename-and-drawing-XSS.diff begins here --- >From 9216203e77f384a7d3af41734f8652fabaab7f93 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Fri, 23 Jan 2009 16:48:24 +0300 Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- www/moinmoin/Makefile | 1 + www/moinmoin/files/patch-rename-drawing-XSS | 23 +++++++++++++++++++++++ 2 files changed, 24 insertions(+), 0 deletions(-) create mode 100644 www/moinmoin/files/patch-rename-drawing-XSS diff --git a/www/moinmoin/Makefile b/www/moinmoin/Makefile index 1ece283..5192545 100644 --- a/www/moinmoin/Makefile +++ b/www/moinmoin/Makefile @@ -7,6 +7,7 @@ PORTNAME= moinmoin PORTVERSION= 1.8.0 +PORTREVISION= 1 CATEGORIES= www python MASTER_SITES= http://static.moinmo.in/files/ DISTNAME= moin-${PORTVERSION} diff --git a/www/moinmoin/files/patch-rename-drawing-XSS b/www/moinmoin/files/patch-rename-drawing-XSS new file mode 100644 index 0000000..8af8c9f --- /dev/null +++ b/www/moinmoin/files/patch-rename-drawing-XSS @@ -0,0 +1,23 @@ +Patch for XSS in MoinMoin < 1.8.1: http://www.securityfocus.com/archive/1/500197/30/0/threaded +Obtained from: http://hg.moinmo.in/moin/1.8/diff/8cb4d34ccbc1/MoinMoin/action/AttachFile.py + +--- MoinMoin/action/AttachFile.py Sat Jun 14 01:49:34 2008 +0200 ++++ MoinMoin/action/AttachFile.py Sun Jan 11 22:18:04 2009 +0100 +@@ -438,7 +438,7 @@ + 'pngpath': pngpath, 'timestamp': timestamp, + 'pubpath': pubpath, 'drawpath': drawpath, + 'savelink': savelink, 'pagelink': pagelink, 'helplink': helplink, +- 'basename': basename ++ 'basename': wikiutil.escape(basename), + }) + + +@@ -482,7 +482,7 @@ + 'action_name': action_name, + 'upload_label_file': _('File to upload'), + 'upload_label_rename': _('Rename to'), +- 'rename': request.form.get('rename', [''])[0], ++ 'rename': wikiutil.escape(request.form.get('rename', [''])[0], 1), + 'upload_label_overwrite': _('Overwrite existing attachment of same name'), + 'overwrite_checked': ('', 'checked')[request.form.get('overwrite', ['0'])[0] == '1'], + 'upload_button': _('Upload'), -- 1.6.1 --- fix-rename-and-drawing-XSS.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="d867877c-e95d-11dd-b89a-0022156e8794"> <topic>MoinMoin -- cross-site scripting</topic> <affects> <package> <name>moinmoin</name> <range><lt>1.8.0_1</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>SecureState R&D Team reports had found cross-site scripting issue inside AttachFile module.</p> </body> </description> <references> <url>http://www.securityfocus.com/archive/1/500197/30/0/threaded</url>; <url>http://hg.moinmo.in/moin/1.8/rev/8cb4d34ccbc1</url>; </references> <dates> <discovery>2009-01-20</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090123150937.7DA89DA831>