[Moin-user] Moinmoin security and exploits

Antonios Christofides anthony at itia.ntua.gr
Wed Oct 5 02:58:17 EDT 2005


Thomas Waldmann wrote:
> But I think in case of a severe security issue in a current moin
> release, you would find something on MoinMoin:FrontPage and soon
> after a new release on Sourceforge.

This is not sufficient.  There must be a security announce mailing
list.  In fact, the fewer the security problems that are discovered,
the more important is the mailing list.  You can't expect
administrators to visit the mm front page every morning (and the front
page of every other software they have installed) to see if there is
an advisory.  The one time that a serious vulnerability is discovered,
you will want to notify all administrators.

(I'm administering a twiki, and before they setup that list, I was
notified about the vulnerability from the strange behaviour of my
compromised machine.)

> The buffer overflow problems often leading to exploits in C code
> can't happen in moin code, because it is Python and in Python
> buffers do not overflow, they just grow.

Yes, but web applications suffer from failing to escape input.  I feel
moinmoin is secure ok, and the quality of its code is good, but
eventually the vulnerability will be discovered, and when that happens
you will need to have that list.
 
-- 
Antonios Christofides
+30-2661020814
+30-6979924665





More information about the Moin-user mailing list