XSS in Despam action
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
moin (Ubuntu) |
Fix Released
|
Low
|
Jamie Strandboge | ||
Dapper |
Fix Released
|
Low
|
Jamie Strandboge | ||
Hardy |
Fix Released
|
Low
|
Jamie Strandboge | ||
Intrepid |
Fix Released
|
Low
|
Jamie Strandboge | ||
Jaunty |
Fix Released
|
Low
|
Jamie Strandboge | ||
Karmic |
Fix Released
|
Low
|
Jamie Strandboge | ||
Lucid |
Fix Released
|
Low
|
Jamie Strandboge |
Bug Description
XSS in Despam page. To reproduce:
1. http://
2. click 'Create new empty page' with text 'Describe TestXSS<
3. click Save
4. Login as someone who can Despam (eg, superuser)
5. go to http://
6. click the appropriate 'Select Author' link (usually the 'localhost' link. If this doesn't work, then login as a non-superuser, make a small edit to the page (eg, remove 'here' from the first line), then log back in as superuser and try to Despam again, clicking 'Select Author' for the user that just made the edit)
7. click 'Revert All!'
8. observe a lot of blinking text (from the pagename)
Versions tested:
1.5.2-1ubuntu2.5 (Dapper)
1.5.8-5.1ubuntu2.3 (Hardy)
1.7.1-1ubuntu1.3 (Intrepid)
1.8.2-2ubuntu2.2 (Jaunty)
1.8.4-1ubuntu1.1 (Karmic)
Affected strings:
Pages to revert: all versions (1.5.x shows it as 'Debug' text)
Begin reverting: all versions
Finished reverting: all versions
Analysis:
The page name is not escaped in the revert_pages() function in Despam.py. It appears only privileged users are allowed to use the Despam action. Since the script must occur in the page name, it is pretty obvious when viewing that the page is suspicious (but this might be why someone was using the Despam action in the first place). There is also a limit on the length of the page name.
This has been assigned CVE-2010-0828.
CVE References
Changed in moin (Ubuntu): | |
status: | New → Confirmed |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in moin (Ubuntu Dapper): | |
status: | New → Confirmed |
Changed in moin (Ubuntu Hardy): | |
status: | New → Confirmed |
Changed in moin (Ubuntu Intrepid): | |
status: | New → Confirmed |
Changed in moin (Ubuntu Jaunty): | |
status: | New → Confirmed |
Changed in moin (Ubuntu Karmic): | |
status: | New → Confirmed |
Changed in moin (Ubuntu Dapper): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in moin (Ubuntu Hardy): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in moin (Ubuntu Intrepid): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in moin (Ubuntu Jaunty): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in moin (Ubuntu Karmic): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
moin (1.9.2-2ubuntu2) lucid; urgency=low
* Debian declares python-werkzeug and python- parsedatetime as Depends and patches/ ubuntu_ use_embedded_ for_main. patch: update setup.py patches/ CVE-2010- 0828.patch: use wikiutil.escape() in pages()
python-xappy as Recommends, however these packages are in universe,
which breaks Ubuntu policy (section 2.2.1). Until these packages can be
added to main, use the embedded copies in moin.
- debian/
- debian/rules: update CDBS_DEPENDS and CDBS_RECOMMENDS for the above
* SECURITY UPDATE: fix XSS in Despam action
- debian/
revert_
- CVE-2010-0828