XSS in Despam action
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| moin (Ubuntu) |
Fix Released
|
Low
|
Jamie Strandboge | ||
| Dapper |
Fix Released
|
Low
|
Jamie Strandboge | ||
| Hardy |
Fix Released
|
Low
|
Jamie Strandboge | ||
| Intrepid |
Fix Released
|
Low
|
Jamie Strandboge | ||
| Jaunty |
Fix Released
|
Low
|
Jamie Strandboge | ||
| Karmic |
Fix Released
|
Low
|
Jamie Strandboge | ||
| Lucid |
Fix Released
|
Low
|
Jamie Strandboge | ||
Bug Description
XSS in Despam page. To reproduce:
1. http://
2. click 'Create new empty page' with text 'Describe TestXSS<
3. click Save
4. Login as someone who can Despam (eg, superuser)
5. go to http://
6. click the appropriate 'Select Author' link (usually the 'localhost' link. If this doesn't work, then login as a non-superuser, make a small edit to the page (eg, remove 'here' from the first line), then log back in as superuser and try to Despam again, clicking 'Select Author' for the user that just made the edit)
7. click 'Revert All!'
8. observe a lot of blinking text (from the pagename)
Versions tested:
1.5.2-1ubuntu2.5 (Dapper)
1.5.8-5.1ubuntu2.3 (Hardy)
1.7.1-1ubuntu1.3 (Intrepid)
1.8.2-2ubuntu2.2 (Jaunty)
1.8.4-1ubuntu1.1 (Karmic)
Affected strings:
Pages to revert: all versions (1.5.x shows it as 'Debug' text)
Begin reverting: all versions
Finished reverting: all versions
Analysis:
The page name is not escaped in the revert_pages() function in Despam.py. It appears only privileged users are allowed to use the Despam action. Since the script must occur in the page name, it is pretty obvious when viewing that the page is suspicious (but this might be why someone was using the Despam action in the first place). There is also a limit on the length of the page name.
This has been assigned CVE-2010-0828.
CVE References
| Changed in moin (Ubuntu): | |
| status: | New → Confirmed |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Changed in moin (Ubuntu Dapper): | |
| status: | New → Confirmed |
| Changed in moin (Ubuntu Hardy): | |
| status: | New → Confirmed |
| Changed in moin (Ubuntu Intrepid): | |
| status: | New → Confirmed |
| Changed in moin (Ubuntu Jaunty): | |
| status: | New → Confirmed |
| Changed in moin (Ubuntu Karmic): | |
| status: | New → Confirmed |
| Changed in moin (Ubuntu Dapper): | |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Changed in moin (Ubuntu Hardy): | |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Changed in moin (Ubuntu Intrepid): | |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Changed in moin (Ubuntu Jaunty): | |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Changed in moin (Ubuntu Karmic): | |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| description: | updated |
| description: | updated |
| description: | updated |
| Jamie Strandboge (jdstrand) wrote | #1 |
| Jamie Strandboge (jdstrand) wrote | #2 |
| Changed in moin (Ubuntu Lucid): | |
| status: | Confirmed → In Progress |
| importance: | Undecided → Low |
| Changed in moin (Ubuntu Dapper): | |
| status: | Confirmed → In Progress |
| importance: | Undecided → Low |
| Changed in moin (Ubuntu Hardy): | |
| status: | Confirmed → In Progress |
| importance: | Undecided → Low |
| Changed in moin (Ubuntu Intrepid): | |
| status: | Confirmed → In Progress |
| importance: | Undecided → Low |
| Changed in moin (Ubuntu Jaunty): | |
| status: | Confirmed → In Progress |
| importance: | Undecided → Low |
| Changed in moin (Ubuntu Karmic): | |
| status: | Confirmed → In Progress |
| importance: | Undecided → Low |
| description: | updated |
| description: | updated |
| Jamie Strandboge (jdstrand) wrote | #3 |
| Changed in moin (Ubuntu Lucid): | |
| status: | In Progress → Fix Released |
| Changed in moin (Ubuntu Dapper): | |
| status: | In Progress → Fix Committed |
| Changed in moin (Ubuntu Hardy): | |
| status: | In Progress → Fix Committed |
| Changed in moin (Ubuntu Intrepid): | |
| status: | In Progress → Fix Committed |
| Changed in moin (Ubuntu Jaunty): | |
| status: | In Progress → Fix Committed |
| Changed in moin (Ubuntu Karmic): | |
| status: | In Progress → Fix Committed |
| visibility: | private → public |
| Jamie Strandboge (jdstrand) wrote | #4 |
| Changed in moin (Ubuntu Dapper): | |
| status: | Fix Committed → Fix Released |
| Changed in moin (Ubuntu Hardy): | |
| status: | Fix Committed → Fix Released |
| Changed in moin (Ubuntu Intrepid): | |
| status: | Fix Committed → Fix Released |
| Changed in moin (Ubuntu Jaunty): | |
| status: | Fix Committed → Fix Released |
| Changed in moin (Ubuntu Karmic): | |
| status: | Fix Committed → Fix Released |
moin (1.9.2-2ubuntu2) lucid; urgency=low
* Debian declares python-werkzeug and python-
python-xappy as Recommends, however these packages are in universe,
which breaks Ubuntu policy (section 2.2.1). Until these packages can be
added to main, use the embedded copies in moin.
- debian/
- debian/rules: update CDBS_DEPENDS and CDBS_RECOMMENDS for the above
* SECURITY UPDATE: fix XSS in Despam action
- debian/
revert_
- CVE-2010-0828