Of course nobody else seems to worry about this in other wikis, so should we?
-Currently only people with direct svn commit access can upload such files
-(and if you wanted to you could block that with a svn pre-commit hook).
+Currently only people with direct commit access can upload such files
+(and if you wanted to you could block that with a pre-commit hook).
Users with only web commit access are limited to editing pages as ikiwiki
doesn't support file uploads from browsers (yet), so they can't exploit
this.
+It is possible to embed an image in a page edited over the web, by using
+`img src="data:image/png;"`. Ikiwiki's htmlscrubber only allows `data:`
+urls to be used for `image/*` mime types. It's possible that some broken
+browser might ignore the mime type and if the data provided is not an
+image, instead run it as javascript, or something evil like that. Hopefully
+not many browsers are that broken.
+
## multiple accessors of wiki directory
If multiple people can directly write to the source directory ikiwiki is
## setup files
-Setup files are not safe to keep in subversion with the rest of the wiki.
-Just don't do it. [[ikiwiki.setup]] is *not* used as the setup file for
-this wiki, BTW.
+Setup files are not safe to keep in the same revision control repository
+with the rest of the wiki. Just don't do it. [[ikiwiki.setup]] is *not*
+used as the setup file for this wiki, BTW.
-## page locking can be bypassed via direct svn commits
+## page locking can be bypassed via direct commits
-A locked page can only be edited on the web by an admin, but
-anyone who is allowed to commit direct to svn can bypass this. This is by
-design, although a subversion pre-commit hook could be used to prevent
-editing of locked pages when using subversion, if you really need to.
+A locked page can only be edited on the web by an admin, but anyone who is
+allowed to commit directly to the repository can bypass this. This is by
+design, although a pre-commit hook could be used to prevent editing of
+locked pages, if you really need to.
## web server attacks
editing of ../../../foo, or editing of files that are not part of the wiki,
such as subversion dotfiles. This is done by sanitising the filename
removing unallowed characters, then making sure it doesn't start with "/"
-or contain ".." or "/.svn/". Annoyingly ad-hoc, this kind of code is where
-security holes breed. It needs a test suite at the very least.
+or contain ".." or "/.svn/", etc. Annoyingly ad-hoc, this kind of code is
+where security holes breed. It needs a test suite at the very least.
## CGI::Session security
## XSS holes in CGI output
-ikiwiki has not yet been audited to ensure that all cgi script input/output
+ikiwiki has been audited to ensure that all cgi script input/output
is sanitised to prevent XSS attacks. For example, a user can't register
with a username containing html code (anymore).
To avoid this, ikiwiki will skip over symlinks when scanning for pages, and
uses locking to prevent more than one instance running at a time. The lock
-prevents one ikiwiki from running a svn up at the wrong time to race
-another ikiwiki. So only attackers who can write to the working copy on
-their own can race it.
+prevents one ikiwiki from running a svn up/git pull/etc at the wrong time
+to race another ikiwiki. So only attackers who can write to the working
+copy on their own can race it.
## symlink + cgi attacks
-Similarly, a svn commit of a symlink could be made, ikiwiki ignores it
+Similarly, a commit of a symlink could be made, ikiwiki ignores it
because of the above, but the symlink is still there, and then you edit the
page from the web, which follows the symlink when reading the page
(exposing the content), and again when saving the changed page (changing
notice.
This security hole was discovered on 26 November 2007 and fixed the same
-da with the release of ikiwiki 2.14. I recommend upgrading to this version
+day with the release of ikiwiki 2.14. I recommend upgrading to this version
if your wiki can be committed to by third parties. Alternatively, don't use
a trailing slash in the srcdir, and avoid the (unusual) configurations that
allow the security hole to be exploited.
+
+## javascript insertion via uris
+
+The htmlscrubber did not block javascript in uris. This was fixed by adding
+a whitelist of valid uri types, which does not include javascript.
+([[cve CVE-2008-0809]]) Some urls specifyable by the meta plugin could also
+theoretically have been used to inject javascript; this was also blocked
+([[cve CVE-2008-0808]]).
+
+This hole was discovered on 10 February 2008 and fixed the same day
+with the release of ikiwiki 2.31.1. (And a few subsequent versions..)
+A fix was also backported to Debian etch, as version 1.33.4. I recommend
+upgrading to one of these versions if your wiki can be edited by third
+parties.
+
+## Cross Site Request Forging
+
+Cross Site Request Forging could be used to constuct a link that would
+change a logged-in user's password or other preferences if they clicked on
+the link. It could also be used to construct a link that would cause a wiki
+page to be modified by a logged-in user.
+
+These holes were discovered on 10 April 2008 and fixed the same day with
+the release of ikiwiki 2.42. A fix was also backported to Debian etch, as
+version 1.33.4. I recommend upgrading to one of these versions.
sipb-www / ikiwiki.git / blobdiff