X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/2a9e9f13f6583ba04bca06750373d462985c5ccb..33b39968948f2dcda5c073916d797259e441d1de:/doc/security.mdwn

diff --git a/doc/security.mdwn b/doc/security.mdwn
index e4851ecf5..317a534ca 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -9,7 +9,7 @@ privately instead of listing it in a public bug tracker, so that we can
 arrange for coordinated disclosure when a fix is available. The maintainers
 are [[Joey Hess|joey]] (<joey@kitenet.net>),
 [[Simon McVittie|smcv]] (<smcv@debian.org>)
-and [[Amitai Schleier|schmonz]] (`schmonz-web-ikiwiki schmonz com`).
+and [[Amitai Schleier|schmonz]] (<schmonz-web-ikiwiki@schmonz.com>).
 
 [[!toc levels=2]]
 
@@ -546,3 +546,47 @@ vulnerability to execute arbitrary Perl code. An upgrade is recommended
 for sites where an untrusted user is able to attach files with arbitrary
 names and/or run a setuid ikiwiki wrapper with a working directory of
 their choice.
+
+## Editing restriction bypass for git revert
+
+intrigeri discovered that a web or git user could revert a change to a
+page they are not allowed to edit, if the change being reverted was made
+before the page was moved from a location where that user had permission
+to edit it. For example, if a file is moved from `drafts/policy.mdwn`
+(editable by less-trusted users) to `policy.mdwn` (only editable
+by more-trusted users), a less-trusted user could revert a change
+that was made to `drafts/policy.mdwn` prior to that move, and it would
+result in `policy.mdwn` being altered.
+
+This affects sites with the `git` VCS and the `recentchanges` plugin,
+which are both used in most ikiwiki installations.
+
+This bug was reported on 2016-12-17. A partially fixed version
+3.20161219 was released on 2016-12-19, but the solution used in that
+version was not effective with git versions older than 2.8.0.
+
+([[!cve CVE-2016-10026]] represents the original vulnerability.
+[[!cve CVE-2016-9645]]/OVE-20161226-0002 represents the vulnerability
+in 3.20161219 caused by the incomplete fix.)
+
+## Commit metadata forgery via CGI::FormBuilder context-dependent APIs
+
+When CGI::FormBuilder->field("foo") is called in list context (and
+in particular in the arguments to a subroutine that takes named
+arguments), it can return zero or more values for foo from the CGI
+request, rather than the expected single value. This breaks the usual
+Perl parsing convention for named arguments, similar to CVE-2014-1572
+in Bugzilla (which was caused by a similar API design issue in CGI.pm).
+
+In ikiwiki, this appears to have been exploitable in two places, both
+of them relatively minor:
+
+* in the comments plugin, an attacker who was able to post a comment
+  could give it a user-specified author and author-URL even if the wiki
+  configuration did not allow for that, by crafting multiple values
+  for other fields
+* in the editpage plugin, an attacker who was able to edit a page
+  could potentially forge commit authorship (attribute their edit to
+  someone else) by crafting multiple values for the rcsinfo field
+
+([[!cve CVE-2016-9646]]/OVE-20161226-0001)