MoinMoin Wiki 1.9.5 XSS in rss link

2012.12.30
Credit: Tilmann Haak
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2012-6082
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

There is an XSS issue in MoinMoin wiki, version 1.9.5. Function rsslink() in "theme/__init__.py" does not properly escape the page name parameter. Details can be found at: http://moinmo.in/SecurityFixes A fix is available at: http://hg.moinmo.in/moin/1.9/rev/c98ec456e493 # HG changeset patch # User Thomas Waldmann <tw AT waldmann-edv DOT de> # Date 1355000129 -3600 # Node ID c98ec456e493cbe3df861cf7c6e70f638ab46917 # Parent d0567fba754edf749a62f3a31f7be5a70456b0b2 fix XSS issue, escape page name in rss link diff -r d0567fba754e -r c98ec456e493 MoinMoin/theme/__init__.py --- a/MoinMoin/theme/__init__.py Sat Dec 08 21:47:40 2012 +0100 +++ b/MoinMoin/theme/__init__.py Sat Dec 08 21:55:29 2012 +0100 @@ -904,7 +904,8 @@ elif rss_supported and self.cfg.rss_show_page_history_link: link = (u'<link rel="alternate" title="%s: %s" ' u'href="%s" type="application/rss+xml">') % ( - wikiutil.escape(self.cfg.sitename, True), page.page_name, + wikiutil.escape(self.cfg.sitename, True), + wikiutil.escape(page.page_name, True), wikiutil.escape(page.url(self.request, querystr={ 'action': 'rss_rc', 'ddiffs': '1', 'unique': '0', 'diffs': '1', 'show_att': '1',

References:

http://moinmo.in/SecurityFixes
http://hg.moinmo.in/moin/1.9/rev/c98ec456e493


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top