GLSA 200407-09: MoinMoin: Group ACL bypass

Severity:normal
Title:MoinMoin: Group ACL bypass
Date:07/11/2004
Bugs: #53126
ID:200407-09

Synopsis

MoinMoin contains a bug allowing a user to bypass group ACLs (Access Control Lists).

Background

MoinMoin is a Python clone of WikiWiki, based on PikiPiki.

Affected packages

Package Vulnerable Unaffected Architecture(s)
www-apps/moinmoin <= 1.2.1 >= 1.2.2 All supported architectures

Description

MoinMoin contains a bug in the code handling administrative group ACLs. A user created with the same name as an administrative group gains the privileges of the administrative group.

Impact

If an administrative group called AdminGroup existed an attacker could create a user called AdminGroup and gain the privileges of the group AdminGroup. This could lead to unauthorized users gaining administrative access.

Workaround

For every administrative group with special privileges create a user with the same name as the group.

Resolution

All users should upgrade to the latest available version of MoinMoin, as follows:

    # emerge sync
    
    # emerge -pv ">=www-apps/moinmoin-1.2.2"
    # emerge ">=www-apps/moinmoin-1.2.2"

References

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200407-09.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

License

Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

Thank you!