In these hot days, waiting to define the recent regulations for the Ubuntu Whitehat team, I started to auditing and penetration testing in MoinMoin.

MoinMoin is a WikiWikiWeb collaborative hypertext environment, with an emphasis on easy access to and modification of information. MoinMoin is a Python WikiClone that allows you to easily set up your own wiki, only requiring a Web server and a Python installation.

A “nice” security issue I found from my work, a cross-site scripting in macro Advanced Search.

Immediately notified Thomas Waldmann, we have worked to write a fix to add escaping.

The vulnerable versions found to have been 1.6, 1.7 and version 1.8 (development).

Needless to say that the site of  upstream (www.moinmo.in) appears vulnerable, but also our help.ubuntu.com patched promptly by Andrew Glen-Young.

The only vulnerable version in Ubuntu repository was in Intrepid Bug 248167,  now fixed.

Big Thanks to Scott Kitterman for the timely sponsorship of my debdiff in Intrepid (main) .

Security Fix Announcements

MoinMoin 1.6 http://hg.moinmo.in/moin/1.6/rev/8686a10f1f58

MoinMoin 1.7 http://hg.moinmo.in/moin/1.7/rev/383196922b03

See also: http://moinmo.in/SecurityFixes

Off Topic

Now I’m MOTU, big thanks for feedback and votes.