Application_MoinMoin

Version 5.1 by Nicolas Gregoire on 2012/01/24 22:20

Introduction

Dixit Wikipedia, "MoinMoin is a wiki engine implemented in Python, initially based on the PikiPiki wiki engine. The MoinMoin code is licensed under the GNU General Public License v2, or (at the user's option) any later version (except some 3rd party modules that are licensed under other Free Software licenses compatible with the GPL). A number of organizations use MoinMoin to run public wikis, including notable free software projects Ubuntu, Apache, Debian, FreeBSD, and others."

Vulnerabilities

By default, the 'allow_xslt' configuration option is set to False. If this option is set to True, then "read/write/overwrite arbitrary path/file as the moin process uid/gidarbitrary" is possible. These bugs are triggered by inserting then displaying wiki pages containing XSLT code.

This behavior was documented in version 1.9.3 :
http://moinmo.in/SecurityFixes
http://hg.moinmo.in/moin/1.9/rev/99e2309a7ec0

File disclosure

Using a XML External Entity attack, it is possible to read text files (PoC).

Note : I was unable to abuse the doc-as-string() extension function because of the MoinMoin URL Resolver. I didn't soend much time on it, given that a XEE vulnerability was already found.

File creation

As described on the 4Suite page, the <exsl:document> extension element allows file creation (PoC)

     

Welcome

Welcome on the XSLT Hacking Encyclopedia !

You may be interested by the Engines and Applications pages.

Link to the blog
Twitter: @Agarri_FR

Tag Cloud

Failed to execute the [velocity] macro. Cause: [The execution of the [velocity] script macro is not allowed in [xhe:XWiki.TagCloud]. Check the rights of its last author or the parameters if it's rendered from another script.]. Click on this message for details.

Content by Nicolas Grégoire / Agarri
Blog - Follow me @Agarri_FR