ID CVE-2012-6081
Summary Multiple unrestricted file upload vulnerabilities in the (1) twikidraw (action/twikidraw.py) and (2) anywikidraw (action/anywikidraw.py) actions in MoinMoin before 1.9.6 allow remote authenticated users with write permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory, as exploited in the wild in July 2012.
References
Vulnerable Configurations
  • moinmo MoinMoin 1.9.5
    cpe:2.3:a:moinmo:moinmoin:1.9.5
  • moinmo MoinMoin 1.9.3
    cpe:2.3:a:moinmo:moinmoin:1.9.3
  • moinmo MoinMoin 1.9.2
    cpe:2.3:a:moinmo:moinmoin:1.9.2
  • moinmo MoinMoin 1.9.0
    cpe:2.3:a:moinmo:moinmoin:1.9.0
  • moinmo MoinMoin 1.9.1
    cpe:2.3:a:moinmo:moinmoin:1.9.1
  • moinmo MoinMoin 1.9.4
    cpe:2.3:a:moinmo:moinmoin:1.9.4
  • moinmo MoinMoin 1.3.5 release candidate 1
    cpe:2.3:a:moinmo:moinmoin:1.3.5:rc1
  • moinmo MoinMoin 1.3.4
    cpe:2.3:a:moinmo:moinmoin:1.3.4
  • moinmo MoinMoin 1.3.3
    cpe:2.3:a:moinmo:moinmoin:1.3.3
  • moinmo MoinMoin 1.3.2
    cpe:2.3:a:moinmo:moinmoin:1.3.2
  • moinmo MoinMoin 1.4
    cpe:2.3:a:moinmo:moinmoin:1.4
  • moinmo MoinMoin 1.3.5
    cpe:2.3:a:moinmo:moinmoin:1.3.5
  • moinmo MoinMoin 1.2.2
    cpe:2.3:a:moinmo:moinmoin:1.2.2
  • moinmo MoinMoin 1.2.1
    cpe:2.3:a:moinmo:moinmoin:1.2.1
  • moinmo MoinMoin 1.2
    cpe:2.3:a:moinmo:moinmoin:1.2
  • moinmo MoinMoin 1.1
    cpe:2.3:a:moinmo:moinmoin:1.1
  • moinmo MoinMoin 1.3.1
    cpe:2.3:a:moinmo:moinmoin:1.3.1
  • moinmo MoinMoin 1.3.0
    cpe:2.3:a:moinmo:moinmoin:1.3.0
  • moinmo MoinMoin 1.2.4
    cpe:2.3:a:moinmo:moinmoin:1.2.4
  • moinmo MoinMoin 1.2.3
    cpe:2.3:a:moinmo:moinmoin:1.2.3
  • moinmo MoinMoin 1.6.1
    cpe:2.3:a:moinmo:moinmoin:1.6.1
  • moinmo MoinMoin 1.0
    cpe:2.3:a:moinmo:moinmoin:1.0
  • moinmo MoinMoin 1.6.2
    cpe:2.3:a:moinmo:moinmoin:1.6.2
  • moinmo MoinMoin 1.6.0 release candidate 2
    cpe:2.3:a:moinmo:moinmoin:1.6.0:rc2
  • moinmo MoinMoin 1.6.4
    cpe:2.3:a:moinmo:moinmoin:1.6.4
  • moinmo MoinMoin 1.6.3
    cpe:2.3:a:moinmo:moinmoin:1.6.3
  • moinmo MoinMoin 1.7.0 beta1
    cpe:2.3:a:moinmo:moinmoin:1.7.0:beta1
  • moinmo MoinMoin 1.7.0
    cpe:2.3:a:moinmo:moinmoin:1.7.0
  • moinmo MoinMoin 1.7.0 release candidate 1
    cpe:2.3:a:moinmo:moinmoin:1.7.0:rc1
  • moinmo MoinMoin 1.7.0 beta2
    cpe:2.3:a:moinmo:moinmoin:1.7.0:beta2
  • moinmo MoinMoin 1.7.0 release candidate 3
    cpe:2.3:a:moinmo:moinmoin:1.7.0:rc3
  • moinmo MoinMoin 1.7.0 release candidate 2
    cpe:2.3:a:moinmo:moinmoin:1.7.0:rc2
  • moinmo MoinMoin 1.7.2
    cpe:2.3:a:moinmo:moinmoin:1.7.2
  • moinmo MoinMoin 1.7.1
    cpe:2.3:a:moinmo:moinmoin:1.7.1
  • moinmo MoinMoin 1.7.3
    cpe:2.3:a:moinmo:moinmoin:1.7.3
  • moinmo MoinMoin 1.5.1
    cpe:2.3:a:moinmo:moinmoin:1.5.1
  • moinmo MoinMoin 1.5.2
    cpe:2.3:a:moinmo:moinmoin:1.5.2
  • moinmo MoinMoin 1.5.3 release candidate 1
    cpe:2.3:a:moinmo:moinmoin:1.5.3:rc1
  • moinmo MoinMoin 1.5.3 release candidate 2
    cpe:2.3:a:moinmo:moinmoin:1.5.3:rc2
  • moinmo MoinMoin 1.5.3
    cpe:2.3:a:moinmo:moinmoin:1.5.3
  • moinmo MoinMoin 1.5.4
    cpe:2.3:a:moinmo:moinmoin:1.5.4
  • moinmo MoinMoin 1.5.5 release candidate 1
    cpe:2.3:a:moinmo:moinmoin:1.5.5:rc1
  • moinmo MoinMoin 1.5.5
    cpe:2.3:a:moinmo:moinmoin:1.5.5
  • moinmo MoinMoin 1.5.5a
    cpe:2.3:a:moinmo:moinmoin:1.5.5a
  • moinmo MoinMoin 1.5.6
    cpe:2.3:a:moinmo:moinmoin:1.5.6
  • moinmo MoinMoin 1.5.7
    cpe:2.3:a:moinmo:moinmoin:1.5.7
  • moinmo MoinMoin 1.5.8
    cpe:2.3:a:moinmo:moinmoin:1.5.8
  • moinmo MoinMoin 1.6.0
    cpe:2.3:a:moinmo:moinmoin:1.6.0
  • moinmo MoinMoin 1.6.0 beta2
    cpe:2.3:a:moinmo:moinmoin:1.6.0:beta2
  • moinmo MoinMoin 1.6.0 beta1
    cpe:2.3:a:moinmo:moinmoin:1.6.0:beta1
  • moinmo MoinMoin 1.6.0 release candidate 1
    cpe:2.3:a:moinmo:moinmoin:1.6.0:rc1
  • moinmo MoinMoin 1.8.7
    cpe:2.3:a:moinmo:moinmoin:1.8.7
  • MoinMoin 1.5.5a
    cpe:2.3:a:moinmo:moinmoin:1.5.5:a
  • moinmo MoinMoin 1.8.8
    cpe:2.3:a:moinmo:moinmoin:1.8.8
  • moinmo MoinMoin 1.8.6
    cpe:2.3:a:moinmo:moinmoin:1.8.6
  • moinmo MoinMoin 1.8.4
    cpe:2.3:a:moinmo:moinmoin:1.8.4
  • moinmo MoinMoin 1.8.3
    cpe:2.3:a:moinmo:moinmoin:1.8.3
  • moinmo MoinMoin 1.8.2
    cpe:2.3:a:moinmo:moinmoin:1.8.2
  • moinmo MoinMoin 1.8.1
    cpe:2.3:a:moinmo:moinmoin:1.8.1
  • moinmo MoinMoin 1.8.0
    cpe:2.3:a:moinmo:moinmoin:1.8.0
  • moinmo MoinMoin 1.5.0
    cpe:2.3:a:moinmo:moinmoin:1.5.0
  • moinmo MoinMoin 1.5.0 release candidate 1
    cpe:2.3:a:moinmo:moinmoin:1.5.0:rc1
  • moinmo MoinMoin 1.5.0 beta6
    cpe:2.3:a:moinmo:moinmoin:1.5.0:beta6
  • moinmo MoinMoin 1.5.0 beta5
    cpe:2.3:a:moinmo:moinmoin:1.5.0:beta5
  • moinmo MoinMoin 1.5.0 beta4
    cpe:2.3:a:moinmo:moinmoin:1.5.0:beta4
  • moinmo MoinMoin 1.5.0 beta3
    cpe:2.3:a:moinmo:moinmoin:1.5.0:beta3
  • moinmo MoinMoin 1.5.0 beta2
    cpe:2.3:a:moinmo:moinmoin:1.5.0:beta2
  • moinmo MoinMoin 1.5.0 beta1
    cpe:2.3:a:moinmo:moinmoin:1.5.0:beta1
  • moinmo MoinMoin 0.7
    cpe:2.3:a:moinmo:moinmoin:0.7
  • moinmo MoinMoin 0.8
    cpe:2.3:a:moinmo:moinmoin:0.8
  • moinmo MoinMoin 0.5
    cpe:2.3:a:moinmo:moinmoin:0.5
  • moinmo MoinMoin 0.6
    cpe:2.3:a:moinmo:moinmoin:0.6
  • moinmo MoinMoin 0.11
    cpe:2.3:a:moinmo:moinmoin:0.11
  • moinmo MoinMoin 0.9
    cpe:2.3:a:moinmo:moinmoin:0.9
  • moinmo MoinMoin 0.10
    cpe:2.3:a:moinmo:moinmoin:0.10
  • moinmo MoinMoin 0.3
    cpe:2.3:a:moinmo:moinmoin:0.3
  • moinmo MoinMoin 0.4
    cpe:2.3:a:moinmo:moinmoin:0.4
  • moinmo MoinMoin 0.1
    cpe:2.3:a:moinmo:moinmoin:0.1
  • moinmo MoinMoin 0.2
    cpe:2.3:a:moinmo:moinmoin:0.2
CVSS
Base: 6.0 (as of 03-01-2013 - 12:06)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
d2sec via4
name MoinMoin 1.9.5 RCE
url http://www.d2sec.com/exploits/moinmoin_1.9.5_rce.html
exploit-db via4
  • description MoinMoin twikidraw Action Traversal File Upload. CVE-2012-6081,CVE-2012-6495. Remote exploit for linux platform
    id EDB-ID:26422
    last seen 2016-02-03
    modified 2013-06-24
    published 2013-06-24
    reporter metasploit
    source https://www.exploit-db.com/download/26422/
    title MoinMoin twikidraw Action Traversal File Upload
  • description MoinMoin - Arbitrary Command Execution. CVE-2012-6081,CVE-2012-6495. Webapps exploit for php platform
    file exploits/php/webapps/25304.py
    id EDB-ID:25304
    last seen 2016-02-03
    modified 2013-05-08
    platform php
    port
    published 2013-05-08
    reporter HTP
    source https://www.exploit-db.com/download/25304/
    title MoinMoin - Arbitrary Command Execution
    type webapps
metasploit via4
description This module exploits a vulnerability in MoinMoin 1.9.5. The vulnerability exists on the manage of the twikidraw actions, where a traversal path can be used in order to upload arbitrary files. Exploitation is achieved on Apached/mod_wsgi configurations by overwriting moin.wsgi, which allows to execute arbitrary python code, as exploited in the wild on July, 2012. This module is "ManualRanking," and the user is warned to use this module at his own risk since it will overwrite the moin.wsgi file, required for the correct working of the MoinMoin wiki. While the exploit will try to restore the attacked application at post exploitation, successful restoration cannot be guaranteed.
id MSF:EXPLOIT/UNIX/WEBAPP/MOINMOIN_TWIKIDRAW
last seen 2019-02-24
modified 2018-08-20
published 2013-06-17
reliability Manual
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/moinmoin_twikidraw.rb
title MoinMoin twikidraw Action Traversal File Upload
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2593.NASL
    description It was discovered that missing input validation in the twikidraw and anywikidraw actions can result in the execution of arbitrary code. This security issue is being actively exploited. This update also addresses path traversal in AttachFile.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 63356
    published 2012-12-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63356
    title Debian DSA-2593-1 : moin - several vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-0685.NASL
    description Update to 1.9.6. Fixes CVE-2012-6495 For full changes, see : http://hg.moinmo.in/moin/1.9/raw-file/1.9.6/docs/CHANGES Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 63656
    published 2013-01-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63656
    title Fedora 17 : moin-1.9.6-1.fc17 (2013-0685)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-0640.NASL
    description Update to 1.9.6. Fixes CVE-2012-6495 For full changes, see : http://hg.moinmo.in/moin/1.9/raw-file/1.9.6/docs/CHANGES Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 63655
    published 2013-01-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63655
    title Fedora 16 : moin-1.9.6-1.fc16 (2013-0640)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201309-14.NASL
    description The remote host is affected by the vulnerability described in GLSA-201309-14 (MoinMoin: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MoinMoin. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to execute arbitrary code with the privileges of the process, overwrite arbitrary files, or conduct Cross-Site Scripting (XSS) attacks. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 70110
    published 2013-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70110
    title GLSA-201309-14 : MoinMoin: Multiple vulnerabilities
  • NASL family CGI abuses
    NASL id MOINMOIN_1_9_6.NASL
    description According to its version number, the MoinMoin install hosted on the remote web server is affected by multiple vulnerabilities: - Versions 1.9.3 up to 1.9.5 are affected by a directory traversal vulnerability because the _do_attachment_move action in 'AttachFile.py' does not properly sanitize user-supplied input. This could allow an unauthenticated, remote attacker to upload and overwrite arbitrary files on the remote host. (CVE-2012-6080) - Versions 1.9.x up to 1.9.5 are affected by a remote code execution vulnerability because the 'twikidraw.py' action fails to properly sanitize user-supplied input. A remote, unauthenticated attacker could utilize a specially crafted request using directory traversal style characters to upload a file containing arbitrary code to the remote host. An attacker could then execute the code with the privileges of the user that runs the MoinMoin process. (CVE-2012-6081) - Version 1.9.5 is affected by a cross-site scripting (XSS) vulnerability because the application fails to properly sanitize user-supplied input in the 'page_name' parameter when creating an rss link. An attacker could leverage this issue to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site. (CVE-2012-6082) - Versions < 1.9.x are not maintained by MoinMoin developers and should be considered vulnerable. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 64930
    published 2013-02-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64930
    title MoinMoin < 1.9.6 Multiple Vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-0600.NASL
    description Update to 1.9.6. Fixes CVE-2012-6495 For full changes, see : http://hg.moinmo.in/moin/1.9/raw-file/1.9.6/docs/CHANGES Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 63636
    published 2013-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63636
    title Fedora 18 : moin-1.9.6-1.fc18 (2013-0600)
  • NASL family CGI abuses
    NASL id MOINMOIN_TWIKIDRAW_CODE_EXEC.NASL
    description The MoinMoin install hosted on the remote web server fails to properly sanitize user-supplied input in the twikidraw (action/twikidraw.py) action. A remote, unauthenticated attacker could utilize a specially crafted request using directory traversal style characters to upload a file containing arbitrary code to the remote host. An attacker could then execute the code with the privileges of the user that runs the MoinMoin process. Successful exploitation requires that the MoinMoin plugin directory has write permission set for the MoinMoin server user. Note that the 'anywikidraw' action is reportedly also affected by the directory traversal and code execution vulnerabilities. The application is also reportedly affected by an additional directory traversal vulnerability in the action/AttachFile.py script (CVE-2012-6080) as well as a cross-site scripting (XSS) vulnerability when creating an rss link (CVE-2012-6082). Nessus has not, however, tested for these additional issues.
    last seen 2019-02-21
    modified 2018-06-13
    plugin id 63638
    published 2013-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63638
    title MoinMoin twikidraw.py Traversal File Upload Arbitrary File Overwrite
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_A264B1B0572611E2948314DAE938EC40.NASL
    description MoinMoin developers report the following vulnerabilities as fixed in version 1.9.6 : - remote code execution vulnerability in twikidraw/anywikidraw action, - path traversal vulnerability in AttachFile action, - XSS issue, escape page name in rss link. CVE entries at MITRE furher clarify : Multiple unrestricted file upload vulnerabilities in the (1) twikidraw (action/twikidraw.py) and (2) anywikidraw (action/anywikidraw.py) actions in MoinMoin before 1.9.6 allow remote authenticated users with write permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory, as exploited in the wild in July 2012. Directory traversal vulnerability in the _do_attachment_move function in the AttachFile action (action/AttachFile.py) in MoinMoin 1.9.3 through 1.9.5 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in a file name. Cross-site scripting (XSS) vulnerability in the rsslink function in theme/__init__.py in MoinMoin 1.9.5 allows remote attackers to inject arbitrary web script or HTML via the page name in a rss link.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 63397
    published 2013-01-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63397
    title FreeBSD : moinmoin -- Multiple vulnerabilities (a264b1b0-5726-11e2-9483-14dae938ec40)
packetstorm via4
data source https://packetstormsecurity.com/files/download/122079/moinmoin_twikidraw.rb.txt
id PACKETSTORM:122079
last seen 2016-12-05
published 2013-06-19
reporter juan vazquez
source https://packetstormsecurity.com/files/122079/MoinMoin-twikidraw-Action-Traversal-File-Upload.html
title MoinMoin twikidraw Action Traversal File Upload
refmap via4
bid 57082
confirm
debian DSA-2593
exploit-db 25304
misc https://bugs.launchpad.net/ubuntu/+source/moin/+bug/1094599
mlist
  • [oss-security] 20121229 CVE request: MoinMoin Wiki (remote code execution vulnerability)
  • [oss-security] 20121229 Re: CVE request: MoinMoin Wiki (remote code execution vulnerability)
secunia
  • 51663
  • 51676
  • 51696
ubuntu USN-1680-1
the hacker news via4
id THN:513C185A1CC3F29D2D37E30BC34E5D30
last seen 2017-01-08
modified 2013-01-11
published 2013-01-09
reporter Mohit Kumar
source http://thehackernews.com/2013/01/official-debian-and-python-wiki-servers.html
title Official Debian and Python Wiki Servers Compromised
Last major update 13-12-2013 - 00:08
Published 02-01-2013 - 20:55
Back to Top