[Moin-user] Vulnerabilities affecting MoinMoin 1.5.7 Release? (CVE-2007-901, 902)

Tyler Florez tflorez at calpoly.edu
Fri Mar 16 21:29:32 EDT 2007


Hi there,

It's come to my attention that a few relatively recent security reports
 allege vulnerabilities including cross-site scripting in MoinMoin up to
and including release 1.5.7
(http://secunia.com/advisories/24138).

However, I've been able to find no corroborating information on the
moinmoin site, mailing list, or changelog
(http://moinmoin.wikiwikiweb.de/MoinMoinRelease1.5/CHANGES), making me a
bit suspicious the reports  are incorrect, since I would assume the
MoinMoin site would be among the first to know, or be notified, about
this (http://moinmoin.wikiwikiweb.de/KnownIssues).

These reports refer to CVE-2007-901 and 902:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=moinmoin

which in turn cites sources like secunia.com and securityfocus.com
(http://www.securityfocus.com/bid/22515).

Notably, one CVE citation refers to ubuntu.com although the ubuntu
report itself appears to apply to moinmoin-1.5.3 and lower
(http://www.ubuntu.com/usn/usn-423-1).

So it seems to me that these security reports may be incorrect in
listing the 1.5.7 release as vulnerable; rather, it may be a problem
with an earlier version and CVE is incorrect that this applies to the
newest release, 1.5.7 (or am I missing
something?).

Does anyone know about the validity of these security reports w.r.t.
MoinMoin 1.5.7?

Thanks!

-Tyler





More information about the Moin-user mailing list