Critical security update for MoinMoin wiki released
The developers of MoinMoin have closed a critical security vulnerability with the release of version 1.9.6 of their open source wiki software. A vulnerability in the twikidraw and anywikidraw components which could be exploited to execute arbitrary code has been closed. The problem affects MoinMoin 1.9.5 and earlier versions.
The hole appears to have been in existence for some time as it was already used to attack the Debian project's wiki in late July 2012; the attack did not become known to the administrators until 28 December, following the theft of user passwords some months before. The administrators had to set up a new server for a clean installation and mailed users that they had reset the passwords for all users. It also appears that the Python.org wiki has been affected by the same problem; that wiki is, at the time of writing, down, with no further details available.
The MoinMoin developers have also patched a directory traversal vulnerability that enabled attackers to deposit files outside of the designated uploads directory. This vulnerability would allow attackers to introduce PHP scripts that could then be executed.
All versions of the 1.9.x branch of MoinMoin are affected and users should update as soon as possible, according to the developers. More information on the exploits and how users can discover if their installations have been affected by exploit code is available on the Security Fix Announcements page on the MoinMoin web site. The developers strongly recommend that users download MoinMoin 1.9.6 and install it as soon as possible.