X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/cfdba3c70815bed12e106a2f749624040a9aa27d..b95a86c069ccbcd89104f72081cfc25f986465e3:/doc/security.mdwn?ds=inline diff --git a/doc/security.mdwn b/doc/security.mdwn index 830cd415b..723daeccc 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -47,6 +47,13 @@ Users with only web commit access are limited to editing pages as ikiwiki doesn't support file uploads from browsers (yet), so they can't exploit this. +It is possible to embed an image in a page edited over the web, by using +`img src="data:image/png;"`. Ikiwiki's htmlscrubber only allows `data:` +urls to be used for `image/*` mime types. It's possible that some broken +browser might ignore the mime type and if the data provided is not an +image, instead run it as javascript, or something evil like that. Hopefully +not many browsers are that broken. + ## multiple accessors of wiki directory If multiple people can directly write to the source directory ikiwiki is @@ -57,16 +64,16 @@ So it's best if only one person can ever directly write to those directories. ## setup files -Setup files are not safe to keep in subversion with the rest of the wiki. -Just don't do it. [[ikiwiki.setup]] is *not* used as the setup file for -this wiki, BTW. +Setup files are not safe to keep in the same revision control repository +with the rest of the wiki. Just don't do it. [[ikiwiki.setup]] is *not* +used as the setup file for this wiki, BTW. ## page locking can be bypassed via direct commits A locked page can only be edited on the web by an admin, but anyone who is allowed to commit directly to the repository can bypass this. This is by design, although a pre-commit hook could be used to prevent editing of -locked pages when using subversion, if you really need to. +locked pages, if you really need to. ## web server attacks @@ -341,7 +348,21 @@ There are at least two configurations where this is exploitable: notice. This security hole was discovered on 26 November 2007 and fixed the same -da with the release of ikiwiki 2.14. I recommend upgrading to this version +day with the release of ikiwiki 2.14. I recommend upgrading to this version if your wiki can be committed to by third parties. Alternatively, don't use a trailing slash in the srcdir, and avoid the (unusual) configurations that allow the security hole to be exploited. + +## javascript insertion via uris + +The htmlscrubber did not block javascript in uris. This was fixed by adding +a whitelist of valid uri types, which does not include javascript. +([[cve CVE-2008-0809]]) Some urls specifyable by the meta plugin could also +theoretically have been used to inject javascript; this was also blocked +([[cve CVE-2008-0808]]). + +This hole was discovered on 10 February 2008 and fixed the same day +with the release of ikiwiki 2.31.1. (And a few subsequent versions..) +A fix was also backported to Debian etch, as version 1.33.4. I recommend +upgrading to one of these versions if your wiki can be edited by third +parties.