Detections
Analytics

MoinMoin 'sys.argv' Information Disclosure

medium Nessus Plugin ID 44383

Language:

Synopsis

A wiki application on the remote web server has an information disclosure vulnerability.

Description

The version of MoinMoin running on the remote host has an information disclosure vulnerability. Using a specially crafted request, an unauthenticated, remote attacker can specify the directory that the application uses for its static pages and read arbitrary files from that directory, subject to the privileges under which the application runs.

Note that successful exploitation requires MoinMoin's 'FCGI_FORCE_CGI' setting to be enabled.

Solution

Upgrade to MoinMoin 1.9.1 or later.

See Also

http://moinmo.in/MoinMoinChat/Logs/moin-dev/2010-01-18

http://hg.moinmo.in/moin/1.9/rev/9d8e7ce3c3a2

http://moinmo.in/SecurityFixes

Plugin Details

Severity: Medium

ID: 44383

File Name: moinmoin_argv_info_disclosure.nasl

Version: 1.10

Type: remote

Family: CGI abuses

Published: 2/2/2010

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:moinmo:moinmoin

Required KB Items: www/moinmoin

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No known exploits are available

Patch Publication Date: 1/19/2010

Vulnerability Publication Date: 1/18/2010

Reference Information

BID: 37853

SECUNIA: 38242