1 2013-01-11T05:31:42 *** MattMaker
2 2013-01-11T06:06:45 *** dwcramer
3 2013-01-11T10:26:44 *** greg_f
4 2013-01-11T11:23:33 <dreimark> moin
5 2013-01-11T13:50:10 *** dave_largo
6 2013-01-11T14:18:03 *** bruno_
7 2013-01-11T14:38:00 *** dwcramer
8 2013-01-11T14:56:52 *** RogerHaase
9 2013-01-11T15:31:43 *** dwcramer
10 2013-01-11T15:54:52 *** dwcramer
11 2013-01-11T16:24:09 *** dwcramer
12 2013-01-11T18:14:46 <nightolo> ThomasWaldmann: are you around?
13 2013-01-11T18:21:25 <dreimark> some more problems?
14 2013-01-11T18:22:25 <nightolo> is there any way to verify if a patched version of moinmoin is still vulnerable to the bug that was found some days ago?
15 2013-01-11T18:22:30 <nightolo> (and fixed in 1.9.6)
16 2013-01-11T18:22:51 <nightolo> I'm using the stock Debian version, which should've been patched, and SystemInfo is reporting 1.9.4, additionally in the code I see the patch
17 2013-01-11T18:23:06 <nightolo> despite that, yesterday morning I got moinexec.py installed through twikidraw again
18 2013-01-11T18:23:33 <dreimark> then it is not using that code
19 2013-01-11T18:23:54 <dreimark> have you old pyc files?
20 2013-01-11T18:24:04 <dreimark> older than the patched files
21 2013-01-11T18:25:28 <dreimark> was the server process restarted after the upgrade.
22 2013-01-11T18:25:55 <nightolo> moinexec.pyc: newer than the patches
23 2013-01-11T18:26:00 <nightolo> server restarted: yes
24 2013-01-11T18:30:12 <nightolo> it's weird
25 2013-01-11T18:30:24 <nightolo> I've just reproduced the problem, I'm pretty sure I'm running the patched code
26 2013-01-11T18:30:57 <dreimark> i meant the action has it a newer pyc file
27 2013-01-11T18:32:14 <nightolo> ok checking
28 2013-01-11T18:32:42 <nightolo> yes it is all new, let me double check if I'm running the latest version of the code but that seems the case
29 2013-01-11T18:46:09 <dreimark> if it is using taintfile a submission can't escape of the attachments directory
30 2013-01-11T18:47:00 <dreimark> you will have a file there if you are attacked again.
31 2013-01-11T18:47:50 <nightolo> ok, I suppose that is how it should work
32 2013-01-11T18:48:23 <dreimark> but not in the plugin dir.
33 2013-01-11T18:51:00 <dreimark> We can discuss later what we should do in such a case. drop those files to somewhere else
34 2013-01-11T18:51:29 <nightolo> well, it seems that in my case the file ends up in the plugin dir
35 2013-01-11T18:52:10 <dreimark> very bad
36 2013-01-11T18:52:21 <dreimark> where can i look at the debian repo
37 2013-01-11T18:52:40 *** greg_f
38 2013-01-11T18:52:40 <nightolo> this is the URL that you can test: http://lab.dyne.org//WikiSandBox?action=twikidraw&do=modify&target=../../../plugin/action/moinexec.py
39 2013-01-11T18:52:44 <nightolo> debian repo, just a sec
40 2013-01-11T18:54:06 <nightolo> -> http://anonscm.debian.org/gitweb/?p=collab-maint/moin.git;a=summary
41 2013-01-11T19:43:42 *** bruno_
42 2013-01-11T19:56:10 *** bruno_
43 2013-01-11T20:05:30 * dreimark can't reproduce on a fresh debian instance
44 2013-01-11T20:07:25 <dreimark> nightolo: Unbekannte Aktion moinexec.
45 2013-01-11T20:07:36 <dreimark> on your wiki
46 2013-01-11T20:09:28 <ThomasWaldmann> nightolo: check if you really have the debian package installed AND you are not executing locally/manually installed code instead of the debian code
47 2013-01-11T20:10:16 <dreimark> bbl
48 2013-01-11T20:10:33 *** dwcramer
49 2013-01-11T20:24:55 *** dwcramer
50 2013-01-11T21:13:08 *** dwcramer
51 2013-01-11T21:35:18 *** dwcramer
52 2013-01-11T21:53:26 *** dave_largo
53 2013-01-11T23:22:47 *** RogerHaase
54
MoinMoin: MoinMoinChat/Logs/moin-dev/2013-01-11 (last edited 2013-01-11 04:45:06 by IrcLogImporter)