MoinMoin _macro_Getval information disclosure
| moinmoin-macrogetval-information-disclosure (41038) |  Low Risk |
Description:
MoinMoin could allow a remote attacker to obtain sensitive information, caused by the improper enforcing of ACLs by _macro_Getval in wikimacro.py. An attacker could exploit this vulnerability to read restricted pages and obtain sensitive information.
Platforms Affected:
- Canonical, Ubuntu 6.06 LTS
- Canonical, Ubuntu 7.10
- Canonical, Ubuntu 8.04 LTS
- Canonical, Ubuntu 8.10
- Debian, Debian Linux 4.0
- Gentoo, Linux
- MoinMoin, MoinMoin 1.5.8
Remedy:
Upgrade to the latest version of MoinMoin (1.5.8 or later), available from the MoinMoin SecurityFixes Web site. See References.
Consequences:
Obtain Information
References:
- moin/1.5 / changeset, wikimacro._macro_GetVal: bug fix respect ACLs on page at http://hg.moinmo.in/moin/1.5/rev/4a7de0173734.
- MoinMoin SecurityFixes Web site, Security Fix Announcements, moin 1.5.8 at http://moinmo.in/SecurityFixes.
- BID-28177: MoinMoin Macro Code Information Disclosure Vulnerability
- CVE-2008-1099: _macro_Getval in wikimacro.py in MoinMoin 1.5.8 and earlier does not properly enforce ACLs, which allows remote attackers to read protected pages.
- DSA-1514: moin -- several vulnerabilities
- GLSA-200803-27: MoinMoin: Multiple vulnerabilities
- USN-716-1: MoinMoin vulnerabilities
Reported:
Feb 13, 2008
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net