The cache action in action/cache.py allows directory traversal through a crafted HTTP request. An attacker who can upload attachments to
the wiki can use this to achieve remote code execution.
Users are strongly advised to upgrade to a patched version.
MoinMoin Wiki 1.9.11 has the necessary fixes and also contains other important fixes.
It is not advised to work around this, but to upgrade MoinMoin to a patched version.
That said, a work around via disabling the cache
or the AttachFile
action might be possible.
Also, it is of course helpful if you give write
permissions (which include uploading attachments) only to trusted users.
This vulnerability was discovered by Michael Chapman.
If you have any questions or comments about this advisory, email me at [email protected].
moinmo.in/SecurityFixes
github.com/moinwiki/moin-1.9/commit/6b96a9060069302996b5af47fd4a388fc80172b7
github.com/moinwiki/moin-1.9/security/advisories/GHSA-52q8-877j-gghq
lists.debian.org/debian-lts-announce/2020/11/msg00020.html
nvd.nist.gov/vuln/detail/CVE-2020-25074
pypi.org/project/moin
www.debian.org/security/2020/dsa-4787