Moderate severityNVD Advisory· Published Sep 10, 2012· Updated Apr 29, 2026

CVE-2012-4404

Description

security/__init__.py in MoinMoin 1.9 through 1.9.4 does not properly handle group names that contain virtual group names such as "All," "Known," or "Trusted," which allows remote authenticated users with virtual group membership to be treated as a member of the group.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
moinPyPI	>= 1.9, < 1.9.5	1.9.5

Affected products

Moinmo/Moinmoin5 versions
cpe:2.3:a:moinmo:moinmoin:1.9.0:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:moinmo:moinmoin:1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:moinmo:moinmoin:1.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:moinmo:moinmoin:1.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:moinmo:moinmoin:1.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:moinmo:moinmoin:1.9.4:*:*:*:*:*:*:*

Patches

b7791166cb36

security fix: fix virtual group bug in ACL evaluation, add a test for it

https://github.com/moinwiki/moinTWSep 3, 2012via ghsa

commit

2 files changed · +49 −2

MoinMoin/security/__init__.py+3 −2 modified

@@ -235,11 +235,12 @@ def may(self, name, dowhat):
                 handler = getattr(self, "_special_"+entry, None)
                 allowed = handler(name, dowhat, rightsdict)
             elif entry in groups:
-                if name in groups[entry]:
+                this_group = groups[entry]
+                if name in this_group:
                     allowed = rightsdict.get(dowhat)
                 else:
                     for special in self.special_users:
-                        if special in entry:
+                        if special in this_group:
                             handler = getattr(self, "_special_" + special, None)
                             allowed = handler(name, dowhat, rightsdict)
                             break # order of self.special_users is important

MoinMoin/security/_tests/test_security.py+46 −0 modified

@@ -16,6 +16,7 @@
 
 from MoinMoin.user import User
 from MoinMoin.config import ACL
+from MoinMoin.datastruct import ConfigGroups
 
 from MoinMoin._tests import update_item
 from MoinMoin._tests import become_trusted
@@ -257,6 +258,51 @@ def testApplyACLByUser(self):
                 assert not acl.may(user, right)
 
 
+class TestGroupACL(object):
+
+    from MoinMoin._tests import wikiconfig
+    class Config(wikiconfig.Config):
+        def groups(cfg):
+            groups = {
+                u'PGroup': frozenset([u'Antony', u'Beatrice', ]),
+                u'AGroup': frozenset([u'All', ]),
+                # note: the next line is a INTENDED misnomer, there is "All" in
+                # the group NAME, but not in the group members. This makes
+                # sure that a bug that erroneously checked "in groupname" (instead
+                # of "in groupmembers") does not reappear.
+                u'AllGroup': frozenset([]), # note: intended misnomer
+            }
+            return ConfigGroups(groups)
+
+    def testApplyACLByGroup(self):
+        """ security: applying acl by group name"""
+        # This acl string...
+        acl_rights = [
+            "PGroup,AllGroup:read,write,admin "
+            "AGroup:read "
+            ]
+        acl = AccessControlList(acl_rights, valid=app.cfg.acl_rights_contents)
+
+        # Should apply these rights:
+        users = (
+            # user, rights
+            ('Antony', ('read', 'write', 'admin', )),  # in PGroup
+            ('Beatrice', ('read', 'write', 'admin', )),  # in PGroup
+            ('Charles', ('read', )),  # virtually in AGroup
+            )
+
+        # Check rights
+        for user, may in users:
+            mayNot = [right for right in app.cfg.acl_rights_contents
+                      if right not in may]
+            # User should have these rights...
+            for right in may:
+                assert acl.may(user, right)
+            # But NOT these:
+            for right in mayNot:
+                assert not acl.may(user, right)
+
+
 class TestItemAcls(object):
     """ security: real-life access control list on items testing
     """

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

moinmo.in/SecurityFixesnvdVendor AdvisoryWEB
secunia.com/advisories/50474nvdVendor Advisory
secunia.com/advisories/50496nvdVendor Advisory
github.com/advisories/GHSA-g4mx-rm5q-vh24ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2012-4404ghsaADVISORY
hg.moinmo.in/moin/1.9/rev/7b9f39289e16nvdWEB
www.debian.org/security/2012/dsa-2538nvdWEB
www.openwall.com/lists/oss-security/2012/09/04/4nvdWEB
www.openwall.com/lists/oss-security/2012/09/05/2nvdWEB
www.ubuntu.com/usn/USN-1604-1nvdWEB
github.com/moinwiki/moin/commit/b7791166cb3613d07c6e8eea966b4f763b2de660ghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/moin/PYSEC-2012-10.yamlghsaWEB
web.archive.org/web/20151016233452/http://secunia.com/advisories/50885ghsaWEB
web.archive.org/web/20151017041746/http://secunia.com/advisories/50474ghsaWEB
web.archive.org/web/20151017041755/http://secunia.com/advisories/50496ghsaWEB
secunia.com/advisories/50885nvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000