Executive Summary
Summary | |
---|---|
Title | MoinMoin vulnerabilities |
Informations | |||
---|---|---|---|
Name | USN-716-1 | First vendor Publication | 2009-01-30 |
Vendor | Ubuntu | Last vendor Modification | 2009-01-30 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: Ubuntu 7.10: Ubuntu 8.04 LTS: Ubuntu 8.10: In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Fernando Quintero discovered than MoinMoin did not properly sanitize its input when processing login requests, resulting in cross-site scripting (XSS) vulnerabilities. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. This issue affected Ubuntu 7.10 and 8.04 LTS. (CVE-2008-0780) Fernando Quintero discovered that MoinMoin did not properly sanitize its input when attaching files, resulting in cross-site scripting vulnerabilities. This issue affected Ubuntu 6.06 LTS, 7.10 and 8.04 LTS. (CVE-2008-0781) It was discovered that MoinMoin did not properly sanitize its input when processing user forms. A remote attacker could submit crafted cookie values and overwrite arbitrary files via directory traversal. This issue affected Ubuntu 6.06 LTS, 7.10 and 8.04 LTS. (CVE-2008-0782) It was discovered that MoinMoin did not properly sanitize its input when editing pages, resulting in cross-site scripting vulnerabilities. This issue only affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1098) It was discovered that MoinMoin did not properly enforce access controls, which could allow a remoter attacker to view private pages. This issue only affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1099) It was discovered that MoinMoin did not properly sanitize its input when attaching files and using the rename parameter, resulting in cross-site scripting vulnerabilities. (CVE-2009-0260) It was discovered that MoinMoin did not properly sanitize its input when displaying error messages after processing spam, resulting in cross-site scripting vulnerabilities. (CVE-2009-0312) |
Original Source
Url : http://www.ubuntu.com/usn/USN-716-1 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
71 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
14 % | CWE-264 | Permissions, Privileges, and Access Controls |
14 % | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:13561 | |||
Oval ID: | oval:org.mitre.oval:def:13561 | ||
Title: | USN-716-1 -- moin vulnerabilities | ||
Description: | Fernando Quintero discovered than MoinMoin did not properly sanitize its input when processing login requests, resulting in cross-site scripting vulnerabilities. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. This issue affected Ubuntu 7.10 and 8.04 LTS. Fernando Quintero discovered that MoinMoin did not properly sanitize its input when attaching files, resulting in cross-site scripting vulnerabilities. This issue affected Ubuntu 6.06 LTS, 7.10 and 8.04 LTS. It was discovered that MoinMoin did not properly sanitize its input when processing user forms. A remote attacker could submit crafted cookie values and overwrite arbitrary files via directory traversal. This issue affected Ubuntu 6.06 LTS, 7.10 and 8.04 LTS. It was discovered that MoinMoin did not properly sanitize its input when editing pages, resulting in cross-site scripting vulnerabilities. This issue only affected Ubuntu 6.06 LTS and 7.10. It was discovered that MoinMoin did not properly enforce access controls, which could allow a remoter attacker to view private pages. This issue only affected Ubuntu 6.06 LTS and 7.10. It was discovered that MoinMoin did not properly sanitize its input when attaching files and using the rename parameter, resulting in cross-site scripting vulnerabilities. It was discovered that MoinMoin did not properly sanitize its input when displaying error messages after processing spam, resulting in cross-site scripting vulnerabilities | ||
Family: | unix | Class: | patch |
Reference(s): | USN-716-1 CVE-2008-0780 CVE-2008-0781 CVE-2008-0782 CVE-2008-1098 CVE-2008-1099 CVE-2009-0260 CVE-2009-0312 | Version: | 5 |
Platform(s): | Ubuntu 7.10 Ubuntu 8.04 Ubuntu 6.06 Ubuntu 8.10 | Product(s): | moin |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18640 | |||
Oval ID: | oval:org.mitre.oval:def:18640 | ||
Title: | DSA-1514-1 moin | ||
Description: | Several remote vulnerabilities have been discovered in MoinMoin, a Python clone of WikiWiki. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1514-1 CVE-2007-2423 CVE-2007-2637 CVE-2008-0780 CVE-2008-0781 CVE-2008-0782 CVE-2008-1098 CVE-2008-1099 | Version: | 7 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | moin |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:19989 | |||
Oval ID: | oval:org.mitre.oval:def:19989 | ||
Title: | DSA-1715-1 moin - insufficient input sanitising | ||
Description: | It was discovered that the AttachFile action in moin, a python clone of WikiWiki, is prone to cross-site scripting attacks (<a href="http://security-tracker.debian.org/tracker/CVE-2009-0260">CVE-2009-0260</a>). Another cross-site scripting vulnerability was discovered in the antispam feature (<a href="http://security-tracker.debian.org/tracker/CVE-2009-0312">CVE-2009-0312</a>). | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1715-1 CVE-2009-0260 CVE-2009-0312 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | moin |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:7891 | |||
Oval ID: | oval:org.mitre.oval:def:7891 | ||
Title: | DSA-1514 moin -- several vulnerabilities | ||
Description: | Several remote vulnerabilities have been discovered in MoinMoin, a Python clone of WikiWiki. The Common Vulnerabilities and Exposures project identifies the following problems: A cross-site-scripting vulnerability has been discovered in attachment handling. Access control lists for calendars and includes were insufficiently enforced, which could lead to information disclosure. A cross-site-scripting vulnerability has been discovered in the login code. A cross-site-scripting vulnerability has been discovered in attachment handling. A directory traversal vulnerability in cookie handling could lead to local denial of service by overwriting files. Cross-site-scripting vulnerabilities have been discovered in the GUI editor formatter and the code to delete pages. The macro code validates access control lists insufficiently, which could lead to information disclosure. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1514 CVE-2007-2423 CVE-2007-2637 CVE-2008-0780 CVE-2008-0781 CVE-2008-0782 CVE-2008-1098 CVE-2008-1099 | Version: | 3 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | moin |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:8023 | |||
Oval ID: | oval:org.mitre.oval:def:8023 | ||
Title: | DSA-1715 moin -- insufficient input sanitising | ||
Description: | It was discovered that the AttachFile action in moin, a python clone of WikiWiki, is prone to cross-site scripting attacks (CVE-2009-0260). Another cross-site scripting vulnerability was discovered in the antispam feature (CVE-2009-0312). | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1715 CVE-2009-0260 CVE-2009-0312 | Version: | 3 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | moin |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-07-29 | Name : Fedora Core 10 FEDORA-2009-7761 (moin) File : nvt/fcore_2009_7761.nasl |
2009-06-23 | Name : Fedora Core 10 FEDORA-2009-6557 (moin) File : nvt/fcore_2009_6557.nasl |
2009-06-23 | Name : Fedora Core 9 FEDORA-2009-6559 (moin) File : nvt/fcore_2009_6559.nasl |
2009-05-20 | Name : FreeBSD Ports: moinmoin File : nvt/freebsd_moinmoin4.nasl |
2009-05-20 | Name : FreeBSD Ports: moinmoin File : nvt/freebsd_moinmoin5.nasl |
2009-04-28 | Name : Fedora Core 9 FEDORA-2009-3845 (moin) File : nvt/fcore_2009_3845.nasl |
2009-04-28 | Name : Fedora Core 10 FEDORA-2009-3868 (moin) File : nvt/fcore_2009_3868.nasl |
2009-02-17 | Name : Fedora Update for moin FEDORA-2008-3328 File : nvt/gb_fedora_2008_3328_moin_fc7.nasl |
2009-02-17 | Name : Fedora Update for moin FEDORA-2008-3301 File : nvt/gb_fedora_2008_3301_moin_fc8.nasl |
2009-02-16 | Name : Fedora Update for moin FEDORA-2008-1880 File : nvt/gb_fedora_2008_1880_moin_fc7.nasl |
2009-02-16 | Name : Fedora Update for moin FEDORA-2008-1905 File : nvt/gb_fedora_2008_1905_moin_fc8.nasl |
2009-02-02 | Name : FreeBSD Ports: moinmoin File : nvt/freebsd_moinmoin3.nasl |
2009-02-02 | Name : Ubuntu USN-716-1 (moin) File : nvt/ubuntu_716_1.nasl |
2009-02-02 | Name : Debian Security Advisory DSA 1715-1 (moin) File : nvt/deb_1715_1.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200803-27 (moinmoin) File : nvt/glsa_200803_27.nasl |
2008-09-04 | Name : FreeBSD Ports: moinmoin File : nvt/freebsd_moinmoin1.nasl |
2008-03-11 | Name : Debian Security Advisory DSA 1514-1 (moin) File : nvt/deb_1514_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
51632 | MoinMoin security/antispam.py Disallowed Content XSS |
51485 | MoinMoin action/AttachFile.py Multiple Parameter XSS |
43147 | MoinMoin PageEditor.py Multiple Parameter XSS |
43146 | MoinMoin formatter/text_gedit.py XSS |
43145 | MoinMoin wikimacro.py _macro_Getval Remote Information Disclosure |
41780 | MoinMoin MOIN_ID Cookie userform Action Traversal Arbitrary File Overwrite |
41779 | MoinMoin action/AttachFile.py Multiple Parameter XSS |
41778 | MoinMoin Login Action XSS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2009-05-14 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_fc4d0ae83fa311dea3fd0030843d3802.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Fedora host is missing a security update. File : fedora_2009-3868.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-716-1.nasl - Type : ACT_GATHER_INFO |
2009-04-22 | Name : The remote Fedora host is missing a security update. File : fedora_2009-3845.nasl - Type : ACT_GATHER_INFO |
2009-02-01 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_6a523dbaeeab11ddab4f0030843d3802.nasl - Type : ACT_GATHER_INFO |
2009-01-29 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1715.nasl - Type : ACT_GATHER_INFO |
2008-05-01 | Name : The remote Fedora host is missing a security update. File : fedora_2008-3301.nasl - Type : ACT_GATHER_INFO |
2008-05-01 | Name : The remote Fedora host is missing a security update. File : fedora_2008-3328.nasl - Type : ACT_GATHER_INFO |
2008-03-19 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200803-27.nasl - Type : ACT_GATHER_INFO |
2008-03-13 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1514.nasl - Type : ACT_GATHER_INFO |
2008-02-26 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_f113bbebe3ac11dcbb89000bcdc1757a.nasl - Type : ACT_GATHER_INFO |
2008-02-25 | Name : The remote Fedora host is missing a security update. File : fedora_2008-1880.nasl - Type : ACT_GATHER_INFO |
2008-02-25 | Name : The remote Fedora host is missing a security update. File : fedora_2008-1905.nasl - Type : ACT_GATHER_INFO |
2008-01-24 | Name : The remote web server contains a Python application that suffers from an inpu... File : moinmoin_cookie_id.nasl - Type : ACT_ATTACK |
Alert History
Date | Informations |
---|---|
2014-02-17 12:05:39 |
|