Debian Security Advisory
DSA-2083-1 moin -- missing input sanitization
- Date Reported:
- 02 Aug 2010
- Affected Packages:
- moin
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 584809.
In Mitre's CVE dictionary: CVE-2010-2487. - More information:
-
It was discovered that moin, a python clone of WikiWiki, does not sufficiently sanitize parameters when passing them to the add_msg function. This allows a remote attackers to conduct cross-site scripting (XSS) attacks for example via the template parameter.
For the stable distribution (lenny), this problem has been fixed in version 1.7.1-3+lenny5.
For the testing distribution (squeeze), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in version 1.9.3-1.
- Fixed in:
-
Debian GNU/Linux 5.0 (lenny)
- Source:
- http://security.debian.org/pool/updates/main/m/moin/moin_1.7.1-3+lenny5.dsc
- http://security.debian.org/pool/updates/main/m/moin/moin_1.7.1.orig.tar.gz
- http://security.debian.org/pool/updates/main/m/moin/moin_1.7.1-3+lenny5.diff.gz
- http://security.debian.org/pool/updates/main/m/moin/moin_1.7.1.orig.tar.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/m/moin/python-moinmoin_1.7.1-3+lenny5_all.deb
MD5 checksums of the listed files are available in the original advisory.