GLSA
Bodhisattva
Joined: 13 Jun 2003
Posts: 4087
Location: Dresden, Germany
|
 Posted: Sun Jul 11, 2004 1:37 pm Post subject: [ GLSA 200407-09 ] MoinMoin: Group ACL bypass |
 |
|
Gentoo Linux Security Advisory
Title: MoinMoin: Group ACL bypass (GLSA 200407-09)
Severity: normal
Exploitable: remote
Date: July 11, 2004
Updated: May 22, 2006
Bug(s): #53126
ID: 200407-09
Synopsis
MoinMoin contains a bug allowing a user to bypass group ACLs (Access
Control Lists).
Background
MoinMoin is a Python clone of WikiWiki, based on PikiPiki.
Affected Packages
Package: www-apps/moinmoin
Vulnerable: <= 1.2.1
Unaffected: >= 1.2.2
Architectures: All supported architectures
Description
MoinMoin contains a bug in the code handling administrative group ACLs.
A user created with the same name as an administrative group gains the
privileges of the administrative group.
Impact
If an administrative group called AdminGroup existed an attacker could
create a user called AdminGroup and gain the privileges of the group
AdminGroup. This could lead to unauthorized users gaining
administrative access.
Workaround
For every administrative group with special privileges create a user
with the same name as the group.
Resolution
All users should upgrade to the latest available version of MoinMoin,
as follows:
| Code: | # emerge sync
# emerge -pv ">=www-apps/moinmoin-1.2.2"
# emerge ">=www-apps/moinmoin-1.2.2" |
References
MoinMoin Announcement
OSVDB Entry
CVE-2004-0708
Last edited by GLSA on Thu Apr 18, 2013 4:16 am; edited 6 times in total |
|
News & Announcements
