MoinMoin Multiple Cross-Site Scripting Vulnerabilities Fixed by 1.9.9


Description   (#Several cross-site scripting vulnerabilities were reported in MoinMoin.#A remote attacker could exploit them by enticing their victim into following a specially crafted link in order to execute arbitrary JavaScript or HTML code.##Further information for these vulnerabilities:#- CVE-2016-7148: stored cross-site scripting in the page named which is echoed in the attach file page without encoding (parameter "action=AttachFile")##- CVE-2016-7146: stored cross-site scripting in file attachment action in the GUI editor (parameters "action=fckdialog&dialog=attachment" or via the GUI editor "Edit (GUI)" -> "Attachment")##- CVE-2016-9119: cross-site scripting in GUI editor's link dialogue.##Proofs of concept are available for the CVE-2016-7146 and CVE-2016-7148 vulnerabilities.##Updated, 15/11/2016:#The moin packages provided by Debian Wheezy 7 are vulnerable.#Updated, 09/01/2017:#The moinmoin packages provided by FreeBSD are vulnerable.)
     
Vulnerable Products   Vulnerable OS:
Fedora (Red Hat) - 23, 24, 25FreeBSD (FreeBSD) - AllGNU/Linux (Debian) - 7, 8Ubuntu Linux (Ubuntu) - 12.04 LTS, 14.04 LTS, 16.04 LTS, 16.10
     
Solution   Fixed moin packages for Fedora 23 and 25 are available.
     
CVE   CVE-2016-9119
CVE-2016-7148
CVE-2016-7146
     
References   - MoinMoin : Version History 1.9.9
http://hg.moinmo.in/moin/1.9/file/1.9.9/docs/CHANGES
- Curesec : MoinMoin 1.9.8: XSS
https://www.curesec.com/blog/article/blog/MoinMoin-198-XSS-175.html
- DSA 3715-1 : moin security update
https://lists.debian.org/debian-security-announce/2016/msg00297.html
- Debian Security Tracker : moin
https://security-tracker.debian.org/tracker/CVE-2016-7146
https://security-tracker.debian.org/tracker/CVE-2016-7148
https://security-tracker.debian.org/tracker/CVE-2016-9119
- DLA 717-1 : moin security update
https://lists.debian.org/debian-lts-announce/2016/11/msg00024.html
- USN-3137-1 : MoinMoin vulnerabilities
http://www.ubuntu.com/usn/usn-3137-1/
- FEDORA-2016-d40c768095 : Fedora 24 Update: moin-1.9.9-1.fc24
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INJCFJJM3KFGRVJEVI2HLVWEEPM7ZCDM/
- FEDORA-2016-a77985b7c7 : Fedora 23 Update: moin-1.9.9-1.fc23
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CI6MW7XYZ5BITNKQ27MV7CJQMSINPB4I/
- FEDORA-2016-cde4525fab : Fedora 25 Update: moin-1.9.9-1.fc25
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7PX67VU3W5TQ7V242LD4XW6CWSXEKEAV/
- VuXML : moinmoin -- XSS vulnerabilities
https://www.vuxml.org/freebsd/ab804e60-d693-11e6-9171-14dae9d210b8.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
XSS - Prevention - GET : suspicious 'iframe' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'meta' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious tag with event found in URL
3.2.0
XSS - Prevention - POST : suspicious 'meta' tag found in data
3.2.0
XSS - Prevention - GET : suspicious 'applet' tag found in URL
3.2.0
XSS - Phishing : suspicious 'div' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'style' attribute found in URL
3.2.0
XSS - Prevention - GET : suspicious 'img' tag found in URL
3.2.0
XSS - Prevention - POST : suspicious 'img' attribute found in data
3.2.0
XSS - Phishing : suspicious 'a' tag found in URL
3.2.0
XSS - Prevention - GET : cookie access attempt using script language found in URL
3.2.0
XSS - Prevention - GET : suspicious 'embed' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'object' tag found in URL
3.2.0
XSS - Phishing : suspicious 'form' tag found in URL
3.2.0
XSS - Prevention - GET : javascript code found in URL
3.2.0
XSS - Prevention - GET : evasion attempt using tag characters encoding in URL
3.2.0
XSS - Prevention - GET : suspicious 'style' tag found in URL
3.2.0
XSS - Phishing : suspicious 'link' tag found in URL
3.2.0
XSS - Prevention - GET : 'script' tag found in URL
3.2.0
XSS - Prevention - GET : 'location' javascript object found in URL
3.2.0
XSS - Prevention - GET : suspicious 'div' tag found in URL
3.2.0
XSS - Prevention - POST : suspicious 'style' tag found in data
5.0.0
XSS - Prevention - POST : javascript code found in data
5.0.0
XSS - Prevention - POST : suspicious tag with event found in data
5.0.0
XSS - Prevention - POST : suspicious 'embed' tag found in data
5.0.0
XSS - Prevention - POST : 'location' javascript object found in data
5.0.0
XSS - Prevention - POST : code allowing cookie access found in data
5.0.0
XSS - Prevention - POST : 'script' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'style' attribute found in data
5.0.0
XSS - Prevention - POST : suspicious 'applet' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'div' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'img' attribute found in data
5.0.0
XSS - Prevention - POST : suspicious 'meta' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'object' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'iframe' tag found in data
5.0.0
     


 
 
 
 
 Risk level 
Low 

 Vulnerability First Public Report Date 
2016-10-31 

 Target Type 
Server 

 Possible exploit 
Remote