CVE-2009-1482: cross-site scripting (XSS) issue

Debian Bug report logs - #526594
CVE-2009-1482: cross-site scripting (XSS) issue

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2009-1482: cross-site scripting (XSS) issue

Date: Sat, 02 May 2009 12:40:55 +1000

Package: moin
Severity: important
Tags: patch, security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for moin.

CVE-2009-1482[0]:
| Multiple cross-site scripting (XSS) vulnerabilities in
| action/AttachFile.py in MoinMoin 1.8.2 and earlier allow remote
| attackers to inject arbitrary web script or HTML via (1) an AttachFile
| sub-action in the error_msg function or (2) multiple vectors related
| to package file errors in the upload_form function, different vectors
| than CVE-2009-0260.

Please have a look at upstream's announcement[1]. Upstream's patch is
here[2]. While I agree that it is a good idea to move the escaping to
a more centralised place, I don't see yet, where it would be
exploitable. There is escaping in several places, so before we worry
too much about this, I'd like to see a successful XSS exploit.
Could you as the maintainer please also have a look?

It might also be worth to include this patch[3] as well, although I
don't think it is exploitable.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1482
    http://security-tracker.debian.net/tracker/CVE-2009-1482
[1] http://moinmo.in/SecurityFixes
[2] http://hg.moinmo.in/moin/1.8/rev/5f51246a4df1
[3] http://hg.moinmo.in/moin/1.8/rev/269a1fbc3ed7

Message #10 received at 526594@bugs.debian.org (full text, mbox, reply):

From: Frank Lin PIAT <fpiat@klabs.be>

To: 526594@bugs.debian.org, Moin maintainers <moin@packages.debian.org>

Subject: Re: Bug#526594: CVE-2009-1482: cross-site scripting (XSS) issue

Date: Sat, 02 May 2009 15:45:39 +0200

[Message part 1 (text/plain, inline)]

Hi,

On Sat, 2009-05-02 at 12:40 +1000, Steffen Joeris wrote:
> 
> CVE-2009-1482[0]:
> | Multiple cross-site scripting (XSS) vulnerabilities in
> | action/AttachFile.py in MoinMoin 1.8.2 and earlier allow remote
> | attackers to inject arbitrary web script or HTML via (1) an AttachFile
> | sub-action in the error_msg function or (2) multiple vectors related
> | to package file errors in the upload_form function, different vectors
> | than CVE-2009-0260.
> 
> Please have a look at upstream's announcement[1]. Upstream's patch is
> here[2]. While I agree that it is a good idea to move the escaping to
> a more centralised place, I don't see yet, where it would be
> exploitable. There is escaping in several places, so before we worry
> too much about this, I'd like to see a successful XSS exploit.

I could exploit this vulnerability by injecting arbitrary html, onmouseover...

> It might also be worth to include this patch[3] as well, although I
> don't think it is exploitable.

As I explained in my private mail, this can be exploited too. So I have
included it, as suggested.

I have made a patch, (against the lenny branch in git), that merely
contains upstream's patches (I prefer to stick to upstream's patch, so
later patch are more likely to apply).

Regards

Franklin

[0001-Fix-XSS-vulnerability-Closes-bug-526594.-Fix-CVE-2.patch (text/x-patch, attachment)]

Message #15 received at 526594@bugs.debian.org (full text, mbox, reply):

From: Frank Lin PIAT <fpiat@klabs.be>

To: Steffen Joeris <steffen.joeris@skolelinux.de>, 526594@bugs.debian.org

Subject: Re: Bug#526594: CVE-2009-1482: cross-site scripting (XSS) issue [moin 1.5 / oldstable not affected]

Date: Tue, 05 May 2009 09:54:36 +0200

On Sat, 2009-05-02 at 12:40 +1000, Steffen Joeris wrote:
> 
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for moin.
> 
> CVE-2009-1482[0]:
> | Multiple cross-site scripting (XSS) vulnerabilities in
> | action/AttachFile.py in MoinMoin 1.8.2 and earlier allow remote
> | attackers to inject arbitrary web script or HTML via (1) an AttachFile
> | sub-action in the error_msg function or (2) multiple vectors related
> | to package file errors in the upload_form function, different vectors
> | than CVE-2009-0260.

regardin oldstable (moin 1.5.3-1.2etch4)

Most of the patch http://hg.moinmo.in/moin/1.8/rev/5f51246a4df1 was
already applied by the patch 019_CVE-2007-0781_attach_file_XSS.patch.
The remaining of the patch (escaping error_msg) can't be exploited
because the calling functions either escape strings, or send
intrinsically clean strings, like fixed strings or attachments names
that are escaped during upload)


The patch http://hg.moinmo.in/moin/1.8/rev/269a1fbc3ed7 isn't needed,
because it fix a bug in a feature that was introduced in later release
of moinmoin (1.6 or 1.7)

So our moin 1.5.3-1.2etch4 isn't affected by this CVE.

Thanks,

Franklin

P.S. can "you" upload moin 1.7, I can't since I am not DD/DM.

Message #20 received at 526594@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <dr@jones.dk>

To: Frank Lin PIAT <fpiat@klabs.be>, 526594@bugs.debian.org

Cc: Steffen Joeris <steffen.joeris@skolelinux.de>

Subject: Re: Bug#526594: CVE-2009-1482: cross-site scripting (XSS) issue [moin 1.5 / oldstable not affected]

Date: Tue, 5 May 2009 13:28:08 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, May 05, 2009 at 09:54:36AM +0200, Frank Lin PIAT wrote:
>P.S. can "you" upload moin 1.7, I can't since I am not DD/DM.

I'll do it now!


  - Jonas

- -- 
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

  [x] quote me freely  [ ] ask before reusing  [ ] keep private
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoAIscACgkQn7DbMsAkQLhU7QCfegqH4acBQ4DF3hdZ+ZcIpL5p
U6UAoKfDnvDb+OVViluf4ouFPo21NLzt
=pA6D
-----END PGP SIGNATURE-----

Message #25 received at 526594@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: 526594@bugs.debian.org

Cc: Jonas Smedegaard <dr@jones.dk>

Subject: Re: Bug#526594: CVE-2009-1482: cross-site scripting (XSS) issue [moin 1.5 / oldstable not affected]

Date: Wed, 6 May 2009 21:22:15 +1000

[Message part 1 (text/plain, inline)]

On Tue, 5 May 2009 09:28:08 pm Jonas Smedegaard wrote:
> On Tue, May 05, 2009 at 09:54:36AM +0200, Frank Lin PIAT wrote:
> >P.S. can "you" upload moin 1.7, I can't since I am not DD/DM.
>
> I'll do it now!
>
>
>   - Jonas

Also, please upload fixed packages for unstable with urgency high. :)

Cheers
Steffen

[signature.asc (application/pgp-signature, inline)]

Message #38 received at 526594@bugs.debian.org (full text, mbox, reply):

From: Frank Lin PIAT <fpiat@klabs.be>

To: 526594@bugs.debian.org

Cc: Jonas Smedegaard <dr@jones.dk>

Subject: Re: Bug#526594: CVE-2009-1482: cross-site scripting (XSS) issue [moin 1.5 / oldstable not affected]

Date: Thu, 07 May 2009 00:36:59 +0200

[Message part 1 (text/plain, inline)]

On Wed, 2009-05-06 at 21:22 +1000, Steffen Joeris wrote:
> On Tue, 5 May 2009 09:28:08 pm Jonas Smedegaard wrote:
> > On Tue, May 05, 2009 at 09:54:36AM +0200, Frank Lin PIAT wrote:
> > >P.S. can "you" upload moin 1.7, I can't since I am not DD/DM.
> >
> > I'll do it now!
> >
> >   - Jonas
> 
> Also, please upload fixed packages for unstable with urgency high. :)

Jonas,

Here's a patch for unstable (against 1.8.2-2).

Could you review and upload it please?

Franklin

[moin-1.8.2-2+unstable1.patch (text/x-patch, attachment)]

Message #43 received at 526594@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: 526594@bugs.debian.org

Subject: moin update

Date: Wed, 20 May 2009 23:18:32 +1000

[Message part 1 (text/plain, inline)]

Hi Jonas

Could you please upload a fixed moin version to unstable, so it can migrate to 
testing? I can't test it here right now.

Cheers
Steffen

[signature.asc (application/pgp-signature, inline)]

Message #48 received at 526594@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <dr@jones.dk>

To: Steffen Joeris <steffen.joeris@skolelinux.de>, 526594@bugs.debian.org

Subject: Re: Bug#526594: moin update

Date: Wed, 20 May 2009 15:57:29 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

On Wed, May 20, 2009 at 11:18:32PM +1000, Steffen Joeris wrote:
>Could you please upload a fixed moin version to unstable, so it can 
>migrate to testing? I can't test it here right now.

To unstable?  Yes.

I am completely lost about which upload queues and distribution to use 
for various security uploads, and your mains about it only told that I 
was wrong, not what would have been right, so I am pretty hesitant to 
spend time on unusual branches without more detailed instructions.


Kind regards,

  - Jonas

- -- 
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

  [x] quote me freely  [ ] ask before reusing  [ ] keep private
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEAREDAAYFAkoUDEkACgkQn7DbMsAkQLiJpgCfduN9L1x+QgeKMiUDB1GmIHUD
5sQAoJctmYPRJClWi0yX87jnWDvEfxZG
=j0uq
-----END PGP SIGNATURE-----

Message #53 received at 526594-close@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <dr@jones.dk>

To: 526594-close@bugs.debian.org

Subject: Bug#526594: fixed in moin 1.8.3-1

Date: Wed, 20 May 2009 16:02:35 +0000

Source: moin
Source-Version: 1.8.3-1

We believe that the bug you reported is fixed in the latest version of
moin, which is due to be installed in the Debian FTP archive:

moin_1.8.3-1.diff.gz
  to pool/main/m/moin/moin_1.8.3-1.diff.gz
moin_1.8.3-1.dsc
  to pool/main/m/moin/moin_1.8.3-1.dsc
moin_1.8.3.orig.tar.gz
  to pool/main/m/moin/moin_1.8.3.orig.tar.gz
python-moinmoin_1.8.3-1_all.deb
  to pool/main/m/moin/python-moinmoin_1.8.3-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 526594@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated moin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Wed, 20 May 2009 17:44:30 +0200
Source: moin
Binary: python-moinmoin
Architecture: source all
Version: 1.8.3-1
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description: 
 python-moinmoin - Python clone of WikiWiki - library
Closes: 526594
Changes: 
 moin (1.8.3-1) unstable; urgency=high
 .
   [ Frank Lin PIAT ]
   * Re-implement patch 10001_disable_RenderAsDocbook_if_no_xml.
   * Warn if fckeditor is installed but not configured.
   * Don't create fake fckeditor.js because we can't invalidate the client
     side caching once fckeditor is installed.
   * Update the copyright file.
 .
   [ Jonas Smedegaard ]
   * New upstream release:
     + Fixes CVE-2009-1482. Closes: bug#526594.
   * Add README.source.  Drop custom hints about CDBS.
   * Bump standards-version to 3.8.1.
   * Maintain all package relations in debian/rules, resolved using CDBS.
   * Set urgency=high due to security fix.
Checksums-Sha1: 
 7a019c4cf6fb43bb69954833f5655849d8b163db 1240 moin_1.8.3-1.dsc
 e672762647fe03c6e931f6389111d54f5a9fe553 5999564 moin_1.8.3.orig.tar.gz
 dab1ca069e30658d8be7aefb8774a8f4c39804d4 97065 moin_1.8.3-1.diff.gz
 905430ee7ab7a04c56869f7ee2362d932b44765d 3907572 python-moinmoin_1.8.3-1_all.deb
Checksums-Sha256: 
 4644aadb9c9163df21b6859c5a168f5d386cefd78db8d8ce1cb5620196a1257d 1240 moin_1.8.3-1.dsc
 dc7eb8913a362cde98dda4e76be07620742679f160df6f923654f9c64b62c254 5999564 moin_1.8.3.orig.tar.gz
 ad99537e8a1c9f75330b1f8724c65e905dc75805f2ca5f84e19e8d1008d908f3 97065 moin_1.8.3-1.diff.gz
 a034105a8f178195701bc4c6cbb9b099905210f2fdca1345d5eafbdd42b55cf5 3907572 python-moinmoin_1.8.3-1_all.deb
Files: 
 4f926fb55ca86ed0a7b01f38923c225b 1240 net optional moin_1.8.3-1.dsc
 bba731b8c3390d3344ba9933b1cd6865 5999564 net optional moin_1.8.3.orig.tar.gz
 c8ead64b640ca0ec4c74f56dd42ef9b6 97065 net optional moin_1.8.3-1.diff.gz
 2fcafd5ccb934fa48b24ad3ea50a28f5 3907572 python optional python-moinmoin_1.8.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEAREDAAYFAkoUJkUACgkQn7DbMsAkQLgySQCeIMi94YhLaENg6vnCBRNIcv8Z
9iIAoJBVYzRREdZ4QitQU9o2wyQhcFof
=GPEN
-----END PGP SIGNATURE-----

Message #58 received at 526594-close@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <dr@jones.dk>

To: 526594-close@bugs.debian.org

Subject: Bug#526594: fixed in moin 1.7.1-3+lenny2

Date: Mon, 08 Jun 2009 19:54:28 +0000

Source: moin
Source-Version: 1.7.1-3+lenny2

We believe that the bug you reported is fixed in the latest version of
moin, which is due to be installed in the Debian FTP archive:

moin_1.7.1-3+lenny2.diff.gz
  to pool/main/m/moin/moin_1.7.1-3+lenny2.diff.gz
moin_1.7.1-3+lenny2.dsc
  to pool/main/m/moin/moin_1.7.1-3+lenny2.dsc
python-moinmoin_1.7.1-3+lenny2_all.deb
  to pool/main/m/moin/python-moinmoin_1.7.1-3+lenny2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 526594@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated moin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 05 May 2009 13:38:13 +0200
Source: moin
Binary: python-moinmoin
Architecture: source all
Version: 1.7.1-3+lenny2
Distribution: stable-security
Urgency: high
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description: 
 python-moinmoin - Python clone of WikiWiki - library
Closes: 526594
Changes: 
 moin (1.7.1-3+lenny2) stable-security; urgency=high
 .
   [ Frank Lin PIAT ]
   * Fix cross-site scripting vulnerability in action/AttachFile.py
     Closes: #526594), Thanks to Steffen Joeris.
     Fixes: CVE-2009-1482
   * Add mode escaping to AttachFile move
Checksums-Sha1: 
 83eb595609e7abadb018a865422377acafbc6c34 1258 moin_1.7.1-3+lenny2.dsc
 370de2971a249743baf886634c9da3779d7bfab8 78829 moin_1.7.1-3+lenny2.diff.gz
 1d7569121a9ba7aff1c04444a5a485c0af425e8b 4506106 python-moinmoin_1.7.1-3+lenny2_all.deb
Checksums-Sha256: 
 bab17df6e7389c3bd9f141500e701a552a7d9fb59348771754644e8b2ba8e28a 1258 moin_1.7.1-3+lenny2.dsc
 7d40173dfaa9ac0b61fd26ba02cf38c328091f28a4a7b9c22736b718263dc3b4 78829 moin_1.7.1-3+lenny2.diff.gz
 9bfc5b38d9ce426b62caf572693157cc18eed62bb2a058e23c16d5cfd38119fc 4506106 python-moinmoin_1.7.1-3+lenny2_all.deb
Files: 
 13d23d74a20087879c69545351a59dad 1258 net optional moin_1.7.1-3+lenny2.dsc
 46802a81d20427b26a8aa60af1f576c9 78829 net optional moin_1.7.1-3+lenny2.diff.gz
 9fb6772b6c4f6eb816a488593257f026 4506106 python optional python-moinmoin_1.7.1-3+lenny2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoBcloACgkQ62zWxYk/rQe2JwCfemlopxkf+QUCWxywwOghhKjF
wsMAoJyYthu2QQgIAnc3ApnW3SDQay9O
=Mo06
-----END PGP SIGNATURE-----

Message #63 received at 526594-close@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <dr@jones.dk>

To: 526594-close@bugs.debian.org

Subject: Bug#526594: fixed in moin 1.7.1-3+lenny2

Date: Sat, 27 Jun 2009 16:04:40 +0000

Source: moin
Source-Version: 1.7.1-3+lenny2

We believe that the bug you reported is fixed in the latest version of
moin, which is due to be installed in the Debian FTP archive:

moin_1.7.1-3+lenny2.diff.gz
  to pool/main/m/moin/moin_1.7.1-3+lenny2.diff.gz
moin_1.7.1-3+lenny2.dsc
  to pool/main/m/moin/moin_1.7.1-3+lenny2.dsc
python-moinmoin_1.7.1-3+lenny2_all.deb
  to pool/main/m/moin/python-moinmoin_1.7.1-3+lenny2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 526594@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated moin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 05 May 2009 13:38:13 +0200
Source: moin
Binary: python-moinmoin
Architecture: source all
Version: 1.7.1-3+lenny2
Distribution: stable-security
Urgency: high
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description: 
 python-moinmoin - Python clone of WikiWiki - library
Closes: 526594
Changes: 
 moin (1.7.1-3+lenny2) stable-security; urgency=high
 .
   [ Frank Lin PIAT ]
   * Fix cross-site scripting vulnerability in action/AttachFile.py
     Closes: #526594), Thanks to Steffen Joeris.
     Fixes: CVE-2009-1482
   * Add mode escaping to AttachFile move
Checksums-Sha1: 
 83eb595609e7abadb018a865422377acafbc6c34 1258 moin_1.7.1-3+lenny2.dsc
 370de2971a249743baf886634c9da3779d7bfab8 78829 moin_1.7.1-3+lenny2.diff.gz
 1d7569121a9ba7aff1c04444a5a485c0af425e8b 4506106 python-moinmoin_1.7.1-3+lenny2_all.deb
Checksums-Sha256: 
 bab17df6e7389c3bd9f141500e701a552a7d9fb59348771754644e8b2ba8e28a 1258 moin_1.7.1-3+lenny2.dsc
 7d40173dfaa9ac0b61fd26ba02cf38c328091f28a4a7b9c22736b718263dc3b4 78829 moin_1.7.1-3+lenny2.diff.gz
 9bfc5b38d9ce426b62caf572693157cc18eed62bb2a058e23c16d5cfd38119fc 4506106 python-moinmoin_1.7.1-3+lenny2_all.deb
Files: 
 13d23d74a20087879c69545351a59dad 1258 net optional moin_1.7.1-3+lenny2.dsc
 46802a81d20427b26a8aa60af1f576c9 78829 net optional moin_1.7.1-3+lenny2.diff.gz
 9fb6772b6c4f6eb816a488593257f026 4506106 python optional python-moinmoin_1.7.1-3+lenny2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoBcloACgkQ62zWxYk/rQe2JwCfemlopxkf+QUCWxywwOghhKjF
wsMAoJyYthu2QQgIAnc3ApnW3SDQay9O
=Mo06
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.