Debian Security Advisory

DSA-2083-1 moin -- missing input sanitization

Date Reported:
02 Aug 2010
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 584809.
In Mitre's CVE dictionary: CVE-2010-2487.
More information:

It was discovered that moin, a python clone of WikiWiki, does not sufficiently sanitize parameters when passing them to the add_msg function. This allows a remote attackers to conduct cross-site scripting (XSS) attacks for example via the template parameter.

For the stable distribution (lenny), this problem has been fixed in version 1.7.1-3+lenny5.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in version 1.9.3-1.

Fixed in:

Debian GNU/Linux 5.0 (lenny)

Architecture-independent component:

MD5 checksums of the listed files are available in the original advisory.