In association with heise online

18 February 2008, 11:14

Patches for MoinMoin Wiki system

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The developers of the Python-based MoinMoin Wiki system have closed two XSS vulnerabilities and a directory traversal hole. Insufficient filtering of submitted user names in the action/login.py login script allowed injected JavaScript code to be executed in the victim's browser. The same applied to the action/AttachFile.py file upload script containing JavaScript in the message, pagename and target parameters.

A directory traversal hole was reported to allow attackers to use specially crafted cookies to traverse the data/user/ directory and compromise systems by overwriting files. The flaw occurred in the user.py script when processing certain IDs in the cookie. Only version 1.5.x contained the latter vulnerability. Apart from the updated version 1.6.1, the developers have also made patches for 1.6 and 1.5.x available for download.

See also:

(mba)

Print Version | Send by email | Permalink: http://h-online.com/-734259
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit