GLSA-200407-09 : MoinMoin: Group ACL bypass
High Nessus Plugin ID 14542
SynopsisThe remote Gentoo host is missing one or more security-related patches.
DescriptionThe remote host is affected by the vulnerability described in GLSA-200407-09 (MoinMoin: Group ACL bypass)
MoinMoin contains a bug in the code handling administrative group ACLs.
A user created with the same name as an administrative group gains the privileges of the administrative group.
If an administrative group called AdminGroup existed an attacker could create a user called AdminGroup and gain the privileges of the group AdminGroup. This could lead to unauthorized users gaining administrative access.
For every administrative group with special privileges create a user with the same name as the group.
SolutionAll users should upgrade to the latest available version of MoinMoin, as follows:
# emerge sync # emerge -pv '>=www-apps/moinmoin-1.2.2' # emerge '>=www-apps/moinmoin-1.2.2'