|
|
|
|
| |
Credit:
The original article can be found at: http://hg.moinmo.in/moin/1.9/rev/7b9f39289e16
The information has been provided by Thomas Waldmann.
|
| |
Vulnerable Systems:
* MoinMoin 1.9.4 and prior
Successful exploits will allow attackers to bypass certain security restrictions and gain unauthorized access to restricted content. This may aid in further attacks.
A group has special members "All" or "Known" or "Trusted", but there was a bug that checked whether these are present in the group NAME (not, as intended, in the group MEMBERS).
a) If you have group MEMBERS like "All" or "Known" or "Trusted", they did not work until now, but will start working with this changeset.
E.g. SomeGroup:
* JoeDoe
* Trusted
SomeGroup will now (correctly) include JoeDoe and also all trusted users.
It (erroneously) contained only "JoeDoe" and "Trusted" (as a username, not as a virtual group) before.
b) If you have group NAMES containing "All" or "Known" or "Trusted", they behaved wrong until now (they erroneously included All/Known/Trusted users even if you did not list them as members), but will start working correctly with this changeset.
E.g. AllFriendsGroup:
* JoeDoe
AllFriendsGroup will now (correctly) include only JoeDoe. It (erroneously) contained all users (including JoeDoe) before.
E.g. MyTrustedFriendsGroup:
* JoeDoe
MyTrustedFriendsGroup will now (correctly) include only JoeDoe. It (erroneously) contained all trusted users and JoeDoe before.
CVE Information:
CVE-2012-4404
Disclosure Timeline:
Published : Sep 04 2012
Updated : Oct 11 2012
|
|
|
|
|
