X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/c868d08aeb6ffabecf88079753530d9801a3fef3..3a6d0d3a771cbbc1f252cb3cfcdbeabf36d38f2b:/doc/security.mdwn diff --git a/doc/security.mdwn b/doc/security.mdwn index c2ddc2424..5fda9e678 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -44,7 +44,7 @@ this wiki, BTW. ## svn commit logs -Anyone with svn commit access can forge "web commit from foo" and make it appeat on [[RecentChanges]] like foo committed. One way to avoid this would be to limit web commits to those done by a certian user. +Anyone with svn commit access can forge "web commit from foo" and make it appear on [[RecentChanges]] like foo committed. One way to avoid this would be to limit web commits to those done by a certian user. It's actually possible to force a whole series of svn commits to appear to have come just before yours, by forging svn log output. This could be guarded against somewhat by revision number scanning, since the forged revisions would duplicate the numbers of unforged ones. Or subversion could fix svn log to indent commit messages, which would make such forgery impossible.. @@ -84,20 +84,7 @@ been no problem yet. ikiwiki does not expose untrusted data to the shell. In fact it doesn't use system() at all, and the only use of backticks is on data supplied by the -wiki admin. And it runs with taint checks on of course.. - -## destination directory file replacement - -Any file in the destination directory that is a valid page filename can be -replaced, even if it was not originally rendered from a page. For example, -ikiwiki.cgi could be edited in the wiki, and it would write out a -replacement. File permission is preseved. Yipes! - -This was fixed by making ikiwiki check if the file it's writing to exists; -if it does then it has to be a file that it's aware of creating before, or -it will refuse to create it. - -Still, this sort of attack is something to keep in mind. +wiki admin and untainted filenames. And it runs with taint checks on of course.. ## cgi data security @@ -109,18 +96,35 @@ removing unallowed characters, then making sure it doesn't start with "/" or contain ".." or "/.svn/". Annoyingly ad-hoc, this kind of code is where security holes breed. It needs a test suite at the very least. +## CGI::Session security + +I've audited this module and it is massively insecure by default. ikiwiki +uses it in one of the few secure ways; by forcing it to write to a +directory it controls (and not /tmp) and by setting a umask that makes the +file not be world readable. + ## cgi password security Login to the wiki involves sending a password in cleartext over the net. Cracking the password only allows editing the wiki as that user though. If you care, you can use https, I suppose. -## CGI::Session security +# Fixed holes -I've audited this module and it is massively insecure by default. ikiwiki -uses it in one of the few secure ways; by forcing it to write to a -directory it controls (and not /tmp) and by setting a umask that makes the -file not be world readable. +_(Unless otherwise noted, these were discovered and immediatey fixed by the ikiwiki developers.)_ + +## destination directory file replacement + +Any file in the destination directory that is a valid page filename can be +replaced, even if it was not originally rendered from a page. For example, +ikiwiki.cgi could be edited in the wiki, and it would write out a +replacement. File permission is preseved. Yipes! + +This was fixed by making ikiwiki check if the file it's writing to exists; +if it does then it has to be a file that it's aware of creating before, or +it will refuse to create it. + +Still, this sort of attack is something to keep in mind. ## symlink attacks