Wiki source code of Application_MoinMoin

Last modified by Nicolas Gregoire on 2012/01/29 17:56
Hide last authors
Nicolas Gregoire 5.1 1 {{toc/}}
2
Nicolas Gregoire 4.1 3 = Introduction =
Nicolas Gregoire 1.1 4
Nicolas Gregoire 6.1 5 Dixit [[Wikipedia>>http://en.wikipedia.org/wiki/Moinmoin||rel="__blank"]], "//MoinMoin is a wiki engine implemented in Python, initially based on the PikiPiki wiki engine. The MoinMoin code is licensed under the GNU General Public License v2, or (at the user's option) any later version (except some 3rd party modules that are licensed under other Free Software licenses compatible with the GPL). A number of organizations use MoinMoin to run public wikis, including notable free software projects Ubuntu, Apache, Debian, FreeBSD, and others.//"
Nicolas Gregoire 2.1 6
Nicolas Gregoire 4.1 7 = Vulnerabilities =
8
9 By default, the 'allow_xslt' configuration option is set to False. __If__ this option is set to True, then "read/write/overwrite arbitrary path/file as the moin process uid/gidarbitrary" is possible. These bugs are triggered by inserting then displaying wiki pages containing XSLT code.
10
11
Nicolas Gregoire 11.1 12 This behavior was documented between versions 1.9.3 (June 2010) and 1.9.4 (should be released soon) : [[MoinMoin security page>>http://moinmo.in/SecurityFixes||rel="__blank"]], [[commit>>http://hg.moinmo.in/moin/1.9/rev/99e2309a7ec0||rel="__blank"]].
Nicolas Gregoire 1.1 13
Nicolas Gregoire 4.1 14 = File disclosure =
15
16 Using a XML External Entity attack, it is possible to read text files ([[PoC>>attach:XsltReadFile]]).
17
Nicolas Gregoire 7.1 18 __Note__ : I was unable to abuse the doc-as-string() extension function because of the MoinMoin URL Resolver. However, I didn't spend much time on it, given that a XEE vulnerability was already found.
Nicolas Gregoire 4.1 19
20 = File creation =
21
Nicolas Gregoire 8.1 22 As described on the [[4Suite>>Engine_4Suite]] page, the <exsl:document> extension element allows file creation ([[PoC>>attach:XsltCreateFile]]).
Nicolas Gregoire 9.1 23
24 = Self-referencing PoC =
25
Nicolas Gregoire 10.1 26 The two attached PoC are used as both XML data and XSLT code ([[Homoiconicity>>Homoiconicity]] !). If you upload them with an other name, you __must__ modify accordingly <?xml-stylesheet href="XXXX" type="text/xml"?>.