Ubuntu

XSS in Despam action

Reported by Jamie Strandboge on 2010-03-12
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
moin (Ubuntu)
Low
Jamie Strandboge
Dapper
Low
Jamie Strandboge
Hardy
Low
Jamie Strandboge
Intrepid
Low
Jamie Strandboge
Jaunty
Low
Jamie Strandboge
Karmic
Low
Jamie Strandboge
Lucid
Low
Jamie Strandboge

Bug Description

XSS in Despam page. To reproduce:
1. http://localhost/MyWiki/TestXSS<blink>WARNING</blink>
2. click 'Create new empty page' with text 'Describe TestXSS<blink>WARNING</blink> here.'
3. click Save
4. Login as someone who can Despam (eg, superuser)
5. go to http://localhost/MyWiki/TestXSS%3Cblink%3EWARNING%3C/blink%3E?action=Despam
6. click the appropriate 'Select Author' link (usually the 'localhost' link. If this doesn't work, then login as a non-superuser, make a small edit to the page (eg, remove 'here' from the first line), then log back in as superuser and try to Despam again, clicking 'Select Author' for the user that just made the edit)
7. click 'Revert All!'
8. observe a lot of blinking text (from the pagename)

Versions tested:
1.5.2-1ubuntu2.5 (Dapper)
1.5.8-5.1ubuntu2.3 (Hardy)
1.7.1-1ubuntu1.3 (Intrepid)
1.8.2-2ubuntu2.2 (Jaunty)
1.8.4-1ubuntu1.1 (Karmic)

Affected strings:
Pages to revert: all versions (1.5.x shows it as 'Debug' text)
Begin reverting: all versions
Finished reverting: all versions

Analysis:
The page name is not escaped in the revert_pages() function in Despam.py. It appears only privileged users are allowed to use the Despam action. Since the script must occur in the page name, it is pretty obvious when viewing that the page is suspicious (but this might be why someone was using the Despam action in the first place). There is also a limit on the length of the page name.

This has been assigned CVE-2010-0828.

CVE References

Changed in moin (Ubuntu):
status: New → Confirmed
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in moin (Ubuntu Dapper):
status: New → Confirmed
Changed in moin (Ubuntu Hardy):
status: New → Confirmed
Changed in moin (Ubuntu Intrepid):
status: New → Confirmed
Changed in moin (Ubuntu Jaunty):
status: New → Confirmed
Changed in moin (Ubuntu Karmic):
status: New → Confirmed
Changed in moin (Ubuntu Dapper):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in moin (Ubuntu Hardy):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in moin (Ubuntu Intrepid):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in moin (Ubuntu Jaunty):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in moin (Ubuntu Karmic):
assignee: nobody → Jamie Strandboge (jdstrand)
description: updated
description: updated
description: updated
Jamie Strandboge (jdstrand) wrote :
Jamie Strandboge (jdstrand) wrote :
Changed in moin (Ubuntu Lucid):
status: Confirmed → In Progress
importance: Undecided → Low
Changed in moin (Ubuntu Dapper):
status: Confirmed → In Progress
importance: Undecided → Low
Changed in moin (Ubuntu Hardy):
status: Confirmed → In Progress
importance: Undecided → Low
Changed in moin (Ubuntu Intrepid):
status: Confirmed → In Progress
importance: Undecided → Low
Changed in moin (Ubuntu Jaunty):
status: Confirmed → In Progress
importance: Undecided → Low
Changed in moin (Ubuntu Karmic):
status: Confirmed → In Progress
importance: Undecided → Low
description: updated
description: updated
Jamie Strandboge (jdstrand) wrote :

moin (1.9.2-2ubuntu2) lucid; urgency=low

  * Debian declares python-werkzeug and python-parsedatetime as Depends and
    python-xappy as Recommends, however these packages are in universe,
    which breaks Ubuntu policy (section 2.2.1). Until these packages can be
    added to main, use the embedded copies in moin.
    - debian/patches/ubuntu_use_embedded_for_main.patch: update setup.py
    - debian/rules: update CDBS_DEPENDS and CDBS_RECOMMENDS for the above
  * SECURITY UPDATE: fix XSS in Despam action
    - debian/patches/CVE-2010-0828.patch: use wikiutil.escape() in
      revert_pages()
    - CVE-2010-0828

Changed in moin (Ubuntu Lucid):
status: In Progress → Fix Released
Changed in moin (Ubuntu Dapper):
status: In Progress → Fix Committed
Changed in moin (Ubuntu Hardy):
status: In Progress → Fix Committed
Changed in moin (Ubuntu Intrepid):
status: In Progress → Fix Committed
Changed in moin (Ubuntu Jaunty):
status: In Progress → Fix Committed
Changed in moin (Ubuntu Karmic):
status: In Progress → Fix Committed
visibility: private → public
Jamie Strandboge (jdstrand) wrote :
Changed in moin (Ubuntu Dapper):
status: Fix Committed → Fix Released
Changed in moin (Ubuntu Hardy):
status: Fix Committed → Fix Released
Changed in moin (Ubuntu Intrepid):
status: Fix Committed → Fix Released
Changed in moin (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Changed in moin (Ubuntu Karmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers