From c0a2814124f60a212da043d2f4340b10994d055c Mon Sep 17 00:00:00 2001 From: www-data Date: Thu, 16 Mar 2006 21:09:41 +0000 Subject: [PATCH] web commit by joey --- doc/security.mdwn | 38 ++++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/doc/security.mdwn b/doc/security.mdwn index c2ddc2424..0731ff3c5 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -86,19 +86,6 @@ ikiwiki does not expose untrusted data to the shell. In fact it doesn't use system() at all, and the only use of backticks is on data supplied by the wiki admin. And it runs with taint checks on of course.. -## destination directory file replacement - -Any file in the destination directory that is a valid page filename can be -replaced, even if it was not originally rendered from a page. For example, -ikiwiki.cgi could be edited in the wiki, and it would write out a -replacement. File permission is preseved. Yipes! - -This was fixed by making ikiwiki check if the file it's writing to exists; -if it does then it has to be a file that it's aware of creating before, or -it will refuse to create it. - -Still, this sort of attack is something to keep in mind. - ## cgi data security When ikiwiki runs as a cgi to edit a page, it is passed the name of the @@ -109,18 +96,33 @@ removing unallowed characters, then making sure it doesn't start with "/" or contain ".." or "/.svn/". Annoyingly ad-hoc, this kind of code is where security holes breed. It needs a test suite at the very least. +## CGI::Session security + +I've audited this module and it is massively insecure by default. ikiwiki +uses it in one of the few secure ways; by forcing it to write to a +directory it controls (and not /tmp) and by setting a umask that makes the +file not be world readable. + ## cgi password security Login to the wiki involves sending a password in cleartext over the net. Cracking the password only allows editing the wiki as that user though. If you care, you can use https, I suppose. -## CGI::Session security +# Fixed holes. -I've audited this module and it is massively insecure by default. ikiwiki -uses it in one of the few secure ways; by forcing it to write to a -directory it controls (and not /tmp) and by setting a umask that makes the -file not be world readable. +## destination directory file replacement + +Any file in the destination directory that is a valid page filename can be +replaced, even if it was not originally rendered from a page. For example, +ikiwiki.cgi could be edited in the wiki, and it would write out a +replacement. File permission is preseved. Yipes! + +This was fixed by making ikiwiki check if the file it's writing to exists; +if it does then it has to be a file that it's aware of creating before, or +it will refuse to create it. + +Still, this sort of attack is something to keep in mind. ## symlink attacks -- 2.26.2