[VIM] MoinMoin 1.5.x MOIND_ID cookie Bug Remote Exploit

[George A. Theall]

I haven't seen much coverage of this yet. The title of milw0rm 4957  
isn't very suggestive. And SecurityFocus in Bugtraq 27404 calls it an  
authentication bypass vulnerability.

At first blush, the PoC doesn't look that serious -- it creates an  
account in MoinMoin and stores the profile info in a specified file  
("README"). But MoinMoin lets anyone create a user profile, right?  
And it uses the filename of that profile as the value for the MOIN_ID  
cookie when you login, doesn't it? So what's the problem? Actually, I  
think there are two:

First, the value of the MOIN_ID can be anything as long as it points  
to an existing file that's writable by the web server user id. README  
likely works because it is included by default. Ditto "../edit-log".  
Even something like  "../../../../../../../../../../var/www/html/ 
index.php" could work.

Second, the value for the 'quicklinks' parameter is not sanitized.  
The PoC uses "podriamos-insertar-codigo-php-aqui-verdad-que-si",  
which loosely translates to "we could insert PHP code here".  And  
indeed, something like "<?php system(id) ?>" suitably encoded goes  
through just fine.

Combine the two issues and you've probably got a nice vector for  
remote code execution, as long as the remote web server supports PHP  
and you can figure out a path to a writable PHP file in the web  
directory root. Sweet!

I've verified the issues in MoinMoin 1.5.8 (the latest in the 1.5  
series). The patch only fixes the first. As for the second, the  
MoinMoin developers don't see that as their problem since you could  
just as easily put PHP code in a Wiki page.


George
-- 
theall at tenablesecurity.com