ports/130916: [vuxml] [patch] www/moinmoin: fix XSS in the AttachFile module
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Fri Jan 23 15:10:03 UTC 2009
>Number: 130916
>Category: ports
>Synopsis: [vuxml] [patch] www/moinmoin: fix XSS in the AttachFile module
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Jan 23 15:10:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 7.1-STABLE amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 7.1-STABLE amd64
>Description:
R&D team from SecureState discovered cross-site scripting issue in
MoinMoin <= 1.8.0 [1]
[1] http://www.securityfocus.com/archive/1/500197/30/0/threaded
>How-To-Repeat:
Look at the above URL and try to use the query string from it to test
your MoinMoin installation.
>Fix:
The following patch adds upstream fix to the current port version,
1.8.0. I had tested it on my MoinMoin installation: works fine, XSS
via the query string provided in the advisory is gone.
--- fix-rename-and-drawing-XSS.diff begins here ---
>From 9216203e77f384a7d3af41734f8652fabaab7f93 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Date: Fri, 23 Jan 2009 16:48:24 +0300
Signed-off-by: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
---
www/moinmoin/Makefile | 1 +
www/moinmoin/files/patch-rename-drawing-XSS | 23 +++++++++++++++++++++++
2 files changed, 24 insertions(+), 0 deletions(-)
create mode 100644 www/moinmoin/files/patch-rename-drawing-XSS
diff --git a/www/moinmoin/Makefile b/www/moinmoin/Makefile
index 1ece283..5192545 100644
--- a/www/moinmoin/Makefile
+++ b/www/moinmoin/Makefile
@@ -7,6 +7,7 @@
PORTNAME= moinmoin
PORTVERSION= 1.8.0
+PORTREVISION= 1
CATEGORIES= www python
MASTER_SITES= http://static.moinmo.in/files/
DISTNAME= moin-${PORTVERSION}
diff --git a/www/moinmoin/files/patch-rename-drawing-XSS b/www/moinmoin/files/patch-rename-drawing-XSS
new file mode 100644
index 0000000..8af8c9f
--- /dev/null
+++ b/www/moinmoin/files/patch-rename-drawing-XSS
@@ -0,0 +1,23 @@
+Patch for XSS in MoinMoin < 1.8.1: http://www.securityfocus.com/archive/1/500197/30/0/threaded
+Obtained from: http://hg.moinmo.in/moin/1.8/diff/8cb4d34ccbc1/MoinMoin/action/AttachFile.py
+
+--- MoinMoin/action/AttachFile.py Sat Jun 14 01:49:34 2008 +0200
++++ MoinMoin/action/AttachFile.py Sun Jan 11 22:18:04 2009 +0100
+@@ -438,7 +438,7 @@
+ 'pngpath': pngpath, 'timestamp': timestamp,
+ 'pubpath': pubpath, 'drawpath': drawpath,
+ 'savelink': savelink, 'pagelink': pagelink, 'helplink': helplink,
+- 'basename': basename
++ 'basename': wikiutil.escape(basename),
+ })
+
+
+@@ -482,7 +482,7 @@
+ 'action_name': action_name,
+ 'upload_label_file': _('File to upload'),
+ 'upload_label_rename': _('Rename to'),
+- 'rename': request.form.get('rename', [''])[0],
++ 'rename': wikiutil.escape(request.form.get('rename', [''])[0], 1),
+ 'upload_label_overwrite': _('Overwrite existing attachment of same name'),
+ 'overwrite_checked': ('', 'checked')[request.form.get('overwrite', ['0'])[0] == '1'],
+ 'upload_button': _('Upload'),
--
1.6.1
--- fix-rename-and-drawing-XSS.diff ends here ---
The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
<vuln vid="d867877c-e95d-11dd-b89a-0022156e8794">
<topic>MoinMoin -- cross-site scripting</topic>
<affects>
<package>
<name>moinmoin</name>
<range><lt>1.8.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SecureState R&D Team reports had found cross-site scripting issue inside AttachFile module.</p>
</body>
</description>
<references>
<url>http://www.securityfocus.com/archive/1/500197/30/0/threaded</url>
<url>http://hg.moinmo.in/moin/1.8/rev/8cb4d34ccbc1</url>
</references>
<dates>
<discovery>2009-01-20</discovery>
<entry>TODAY</entry>
</dates>
</vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list