Bug#411084: CVE-2007-0901,0902: XSS in debugging information

Thu, 15 Feb 2007 13:49:15 -0800 

Package: moin
Version: 1.3.4-3
Severity: grave
Tags: patch, security

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0901 says:

"Multiple cross-site scripting (XSS) vulnerabilities in Info pages in 
MoinMoin 1.5.7 allow remote attackers to inject arbitrary web script or 
HTML via the (1) hitcounts and (2) general parameters, different vectors 
than CVE-2007-0857."

This appears not to be true for the 1.5.x line of Moin, but it is true 
in 1.3.x.  Attached is the patch I'm using in Ubuntu, which also 
includes fixes for CVE-2007-0902, by allowing for "show_traceback" to be 
set to 0 in site configurations.

-- 
Kees Cook                                            @outflux.net

diff -Nur moin1.3-1.3.4/MoinMoin/multiconfig.py moin1.3-1.3.4.new/MoinMoin/multiconfig.py
--- moin1.3-1.3.4/MoinMoin/multiconfig.py	2005-03-12 13:26:14.000000000 -0800
+++ moin1.3-1.3.4.new/MoinMoin/multiconfig.py	2007-02-15 12:48:43.507437578 -0800
@@ -245,6 +245,7 @@
     show_section_numbers = 1
     show_timings = 0
     show_version = 0
+    show_traceback = 1
     siteid = 'default'
     theme_default = 'modern'
     theme_force = False
diff -Nur moin1.3-1.3.4/MoinMoin/request.py moin1.3-1.3.4.new/MoinMoin/request.py
--- moin1.3-1.3.4/MoinMoin/request.py	2005-03-06 14:15:45.000000000 -0800
+++ moin1.3-1.3.4.new/MoinMoin/request.py	2007-02-15 12:48:36.011047587 -0800
@@ -915,7 +915,7 @@
                 self.print_exception(*saved_exc)
             else:
                 try:
-                    cgitb.Hook(file=self).handle(saved_exc)
+                    cgitb.Hook(file=self,display=self.cfg.show_traceback).handle(saved_exc)
                     # was: cgitb.handler()
                 except:
                     self.print_exception(*saved_exc)
diff -Nur moin1.3-1.3.4/MoinMoin/support/cgitb.py moin1.3-1.3.4.new/MoinMoin/support/cgitb.py
--- moin1.3-1.3.4/MoinMoin/support/cgitb.py	2005-01-09 10:48:07.000000000 -0800
+++ moin1.3-1.3.4.new/MoinMoin/support/cgitb.py	2007-02-15 12:48:36.011047587 -0800
@@ -85,7 +85,7 @@
                osinfo + '<br>' + \
                'MoinMoin Release %s [Revision %s]' % (version.release, version.revision)
     head = '<body bgcolor="#f0f0f8">' + pydoc.html.heading(
-        '<big><big><strong>%s</strong>%s</big></big>' % (str(etype), str(evalue)),
+        '<big><big><strong>%s</strong>%s</big></big>' % (pydoc.html.escape(str(etype)), pydoc.html.escape(str(evalue))),
         '#ffffff', '#6622aa', versinfo + '<br>' + date) + '''
 <p>A problem occurred in a Python script.  Here is the sequence of
 function calls leading up to the error, in the order they occurred.'''
@@ -141,7 +141,7 @@
 <table width="100%%" cellspacing=0 cellpadding=0 border=0>
 %s</table>''' % '\n'.join(rows))
 
-    exception = ['<p>%s: %s' % (strong(str(etype)), str(evalue))]
+    exception = ['<p>%s: %s' % (strong(pydoc.html.escape(str(etype))), pydoc.html.escape(str(evalue)))]
     if type(evalue) is types.InstanceType:
         for name in dir(evalue):
             value = pydoc.html.repr(getattr(evalue, name))

Reply via email to