There is a remote code execution vulnerability in MoinMoin wiki, versions 1.9.x up to (and including) 1.9.5. The method save in class AnyWikiDraw (action/anywikidraw.py) and class TWikiDraw (action/twikidraw.py) do not filter user supplied input correctly, which leads to a path traversal vulnerability, which can be exploited to execute arbitrary code with moin's privileges. An exploit was seen in the wild. Details can be found at: http://moinmo.in/SecurityFixes A fix is available at: http://hg.moinmo.in/moin/1.9/rev/7e7e1cbb9d3f # HG changeset patch # User Thomas Waldmann <tw AT waldmann-edv DOT de> # Date 1356789929 -3600 # Node ID 7e7e1cbb9d3fbef8be61fa0506ee26f96cfb28fb # Parent 671124d91dc125264ad2d78ccca80f0b6ddf8351 security: fix remote code execution vulnerability in twikidraw/anywikidraw actions We have wikiutil.taintfilename() to make user supplied filenames safe, so that they can't contain any "special" characters like path separators, etc. It is used at many places in moin, but wasn't used here. :| diff -r 671124d91dc1 -r 7e7e1cbb9d3f MoinMoin/action/AttachFile.py --- a/MoinMoin/action/AttachFile.py Mon Dec 24 23:49:10 2012 +0100 +++ b/MoinMoin/action/AttachFile.py Sat Dec 29 15:05:29 2012 +0100 @@ -603,6 +603,14 @@ """ A storage container (multiple objects in 1 tarfile) """ def __init__(self, request, pagename, containername): + """ + @param pagename: a wiki page name + @param containername: the filename of the tar file. + Make sure this is a simple filename, NOT containing any path components. + Use wikiutil.taintfilename() to avoid somebody giving a container + name that starts with e.g. ../../filename or you'll create a + directory traversal and code execution vulnerability. + """ self.request = request self.pagename = pagename self.containername = containername diff -r 671124d91dc1 -r 7e7e1cbb9d3f MoinMoin/action/anywikidraw.py --- a/MoinMoin/action/anywikidraw.py Mon Dec 24 23:49:10 2012 +0100 +++ b/MoinMoin/action/anywikidraw.py Sat Dec 29 15:05:29 2012 +0100 @@ -197,6 +197,8 @@ def execute(pagename, request): target = request.values.get('target') + target = wikiutil.taintfilename(target) + awd = AnyWikiDraw(request, pagename, target) do = request.values.get('do') diff -r 671124d91dc1 -r 7e7e1cbb9d3f MoinMoin/action/twikidraw.py --- a/MoinMoin/action/twikidraw.py Mon Dec 24 23:49:10 2012 +0100 +++ b/MoinMoin/action/twikidraw.py Sat Dec 29 15:05:29 2012 +0100 @@ -208,6 +208,8 @@ def execute(pagename, request): target = request.values.get('target') + target = wikiutil.taintfilename(target) + twd = TwikiDraw(request, pagename, target) do = request.values.get('do')