moin -- insufficient input sanitising

ID DSA-2024
Type debian
Reporter Debian
Modified 2010-03-31T00:00:00


Jamie Strandboge discovered that moin, a python clone of WikiWiki, does not sufficiently sanitize the page name in "Despam" action, allowing remote attackers to perform cross-site scripting (XSS) attacks.

In addition, this update fixes a minor issue in the "textcha" protection, it could be trivially bypassed by blanking the "textcha-question" and "textcha-answer" form fields.

For the stable distribution (lenny), these problems have been fixed in version 1.7.1-3+lenny4.

For the testing (squeeze) and unstable (sid) distribution, these problems will be fixed soon.

We recommend that you upgrade your moin package.