MoinMoin: Group ACL bypass — GLSA 200408-25

MoinMoin contains a bug allowing anonymous users to bypass ACLs (Access Control Lists) and carry out operations that should be limited to authorized users.

Affected packages

Package	www-apps/moinmoin on all architectures
Affected versions	<= 1.2.2
Unaffected versions	>= 1.2.3

Background

MoinMoin is a Python clone of WikiWiki, based on PikiPiki.

Description

MoinMoin contains two unspecified bugs, one allowing anonymous users elevated access when not using ACLs, and the other in the ACL handling in the PageEditor.

Impact

Restrictions on anonymous users were not properly enforced. This could lead to unauthorized users gaining administrative access to functions such as "revert" and "delete". Sites are vulnerable whether or not they are using ACLs.

Workaround

There is no known workaround.

Resolution

All users should upgrade to the latest available version of MoinMoin, as follows:

 # emerge sync
 
 # emerge -pv ">=www-apps/moinmoin-1.2.3"
 # emerge ">=www-apps/moinmoin-1.2.3"

References

Release date
August 26, 2004

Latest revision
May 22, 2006: 02

Severity
normal

Exploitable
remote

Bugzilla entries

57913