X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/7586f5165e36ca010d14ad87202ad923ca63144b..afad77a7e06072609956d19d6bdf7fdd24a5293c:/doc/security.mdwn?ds=sidebyside
diff --git a/doc/security.mdwn b/doc/security.mdwn
index a538a49fe..fcc33fd48 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -564,8 +564,8 @@ which are both used in most ikiwiki installations.
This bug was reported on 2016-12-17. A partially fixed version
3.20161219 was released on 2016-12-19, but the solution used in that
version was not effective with git versions older than 2.8.0.
-A more complete fix was released on 2016-12-29 in version 3.20161229.
-A backport to Debian 8 'jessie' is in progress.
+A more complete fix was released on 2016-12-29 in version 3.20161229,
+with fixes backported to Debian 8 in version 3.20141016.4.
([[!debcve CVE-2016-10026]] represents the original vulnerability.
[[!debcve CVE-2016-9645]]/OVE-20161226-0002 represents the vulnerability
@@ -591,7 +591,72 @@ of them relatively minor:
could potentially forge commit authorship (attribute their edit to
someone else) by crafting multiple values for the rcsinfo field
-This was fixed in ikiwiki 3.20161229. A backport to Debian 8
-'jessie' is in progress.
+This was fixed in ikiwiki 3.20161229, with fixes backported to Debian 8
+in version 3.20141016.4.
([[!debcve CVE-2016-9646]]/OVE-20161226-0001)
+
+## Authentication bypass via repeated parameters
+
+The ikiwiki maintainers discovered further flaws similar to CVE-2016-9646
+in the passwordauth plugin's use of CGI::FormBuilder, with a more
+serious impact:
+
+* An attacker who can log in to a site with a password can log in
+ as a different and potentially more privileged user.
+* An attacker who can create a new account can set arbitrary fields
+ in the user database for that account.
+
+This was fixed in ikiwiki 3.20170111, with fixes backported to Debian 8
+in version 3.20141016.4.
+
+([[!debcve CVE-2017-0356]]/OVE-20170111-0001)
+
+## Server-side request forgery via aggregate plugin
+
+The ikiwiki maintainers discovered that the [[plugins/aggregate]] plugin
+did not use [[!cpan LWPx::ParanoidAgent]]. On sites where the
+aggregate plugin is enabled, authorized wiki editors could tell ikiwiki
+to fetch potentially undesired URIs even if LWPx::ParanoidAgent was
+installed:
+
+* local files via `file:` URIs
+* other URI schemes that might be misused by attackers, such as `gopher:`
+* hosts that resolve to loopback IP addresses (127.x.x.x)
+* hosts that resolve to RFC 1918 IP addresses (192.168.x.x etc.)
+
+This could be used by an attacker to publish information that should not have
+been accessible, cause denial of service by requesting "tarpit" URIs that are
+slow to respond, or cause undesired side-effects if local web servers implement
+["unsafe"](https://tools.ietf.org/html/rfc7231#section-4.2.1) GET requests.
+([[!debcve CVE-2019-9187]])
+
+Additionally, if the LWPx::ParanoidAgent module was not installed, the
+[[plugins/blogspam]], [[plugins/openid]] and [[plugins/pinger]] plugins
+would fall back to [[!cpan LWP]], which is susceptible to similar attacks.
+This is unlikely to be a practical problem for the blogspam plugin because
+the URL it requests is under the control of the wiki administrator, but
+the openid plugin can request URLs controlled by unauthenticated remote
+users, and the pinger plugin can request URLs controlled by authorized
+wiki editors.
+
+This is addressed in ikiwiki 3.20190228 as follows, with the same fixes
+backported to Debian 9 in version 3.20170111.1:
+
+* URI schemes other than `http:` and `https:` are not accepted, preventing
+ access to `file:`, `gopher:`, etc.
+
+* If a proxy is [[configured in the ikiwiki setup file|tips/using_a_proxy]],
+ it is used for all outgoing `http:` and `https:` requests. In this case
+ the proxy is responsible for blocking any requests that are undesired,
+ including loopback or RFC 1918 addresses.
+
+* If a proxy is not configured, and LWPx::ParanoidAgent is installed,
+ it will be used. This prevents loopback and RFC 1918 IP addresses, and
+ sets a timeout to avoid denial of service via "tarpit" URIs.
+
+* Otherwise, the ordinary LWP user-agent will be used. This allows requests
+ to loopback and RFC 1918 IP addresses, and has less robust timeout
+ behaviour. We are not treating this as a vulnerability: if this
+ behaviour is not acceptable for your site, please make sure to install
+ LWPx::ParanoidAgent or disable the affected plugins.