From: www-data Date: Thu, 16 Mar 2006 21:09:41 +0000 (+0000) Subject: web commit by joey X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/commitdiff_plain/c0a2814124f60a212da043d2f4340b10994d055c?ds=sidebyside web commit by joey --- diff --git a/doc/security.mdwn b/doc/security.mdwn index c2ddc2424..0731ff3c5 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -86,19 +86,6 @@ ikiwiki does not expose untrusted data to the shell. In fact it doesn't use system() at all, and the only use of backticks is on data supplied by the wiki admin. And it runs with taint checks on of course.. -## destination directory file replacement - -Any file in the destination directory that is a valid page filename can be -replaced, even if it was not originally rendered from a page. For example, -ikiwiki.cgi could be edited in the wiki, and it would write out a -replacement. File permission is preseved. Yipes! - -This was fixed by making ikiwiki check if the file it's writing to exists; -if it does then it has to be a file that it's aware of creating before, or -it will refuse to create it. - -Still, this sort of attack is something to keep in mind. - ## cgi data security When ikiwiki runs as a cgi to edit a page, it is passed the name of the @@ -109,18 +96,33 @@ removing unallowed characters, then making sure it doesn't start with "/" or contain ".." or "/.svn/". Annoyingly ad-hoc, this kind of code is where security holes breed. It needs a test suite at the very least. +## CGI::Session security + +I've audited this module and it is massively insecure by default. ikiwiki +uses it in one of the few secure ways; by forcing it to write to a +directory it controls (and not /tmp) and by setting a umask that makes the +file not be world readable. + ## cgi password security Login to the wiki involves sending a password in cleartext over the net. Cracking the password only allows editing the wiki as that user though. If you care, you can use https, I suppose. -## CGI::Session security +# Fixed holes. -I've audited this module and it is massively insecure by default. ikiwiki -uses it in one of the few secure ways; by forcing it to write to a -directory it controls (and not /tmp) and by setting a umask that makes the -file not be world readable. +## destination directory file replacement + +Any file in the destination directory that is a valid page filename can be +replaced, even if it was not originally rendered from a page. For example, +ikiwiki.cgi could be edited in the wiki, and it would write out a +replacement. File permission is preseved. Yipes! + +This was fixed by making ikiwiki check if the file it's writing to exists; +if it does then it has to be a file that it's aware of creating before, or +it will refuse to create it. + +Still, this sort of attack is something to keep in mind. ## symlink attacks