Debian Security Advisory
DSA-2024-1 moin -- insufficient input sanitising
- Date Reported:
- 31 Mar 2010
- Affected Packages:
- moin
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 575995.
In Mitre's CVE dictionary: CVE-2010-0828. - More information:
-
Jamie Strandboge discovered that moin, a python clone of WikiWiki, does not sufficiently sanitize the page name in "Despam" action, allowing remote attackers to perform cross-site scripting (XSS) attacks.
In addition, this update fixes a minor issue in the "textcha" protection, it could be trivially bypassed by blanking the "textcha-question" and "textcha-answer" form fields.
For the stable distribution (lenny), these problems have been fixed in version 1.7.1-3+lenny4.
For the testing (squeeze) and unstable (sid) distribution, these problems will be fixed soon.
We recommend that you upgrade your moin package.
- Fixed in:
-
Debian GNU/Linux 5.0 (lenny)
- Source:
- http://security.debian.org/pool/updates/main/m/moin/moin_1.7.1.orig.tar.gz
- http://security.debian.org/pool/updates/main/m/moin/moin_1.7.1-3+lenny4.diff.gz
- http://security.debian.org/pool/updates/main/m/moin/moin_1.7.1-3+lenny4.dsc
- http://security.debian.org/pool/updates/main/m/moin/moin_1.7.1-3+lenny4.diff.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/m/moin/python-moinmoin_1.7.1-3+lenny4_all.deb
MD5 checksums of the listed files are available in the original advisory.