summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorwww-data <www-data@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>2006-03-16 21:09:41 +0000
committerwww-data <www-data@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>2006-03-16 21:09:41 +0000
commitc0a2814124f60a212da043d2f4340b10994d055c (patch)
tree9ce322bbf1fbbe8ec930f1a07b17c966eea604c3
parentc868d08aeb6ffabecf88079753530d9801a3fef3 (diff)
web commit by joey
-rw-r--r--doc/security.mdwn38
1 files changed, 20 insertions, 18 deletions
diff --git a/doc/security.mdwn b/doc/security.mdwn
index c2ddc2424..0731ff3c5 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -86,19 +86,6 @@ ikiwiki does not expose untrusted data to the shell. In fact it doesn't use
system() at all, and the only use of backticks is on data supplied by the
wiki admin. And it runs with taint checks on of course..
-## destination directory file replacement
-
-Any file in the destination directory that is a valid page filename can be
-replaced, even if it was not originally rendered from a page. For example,
-ikiwiki.cgi could be edited in the wiki, and it would write out a
-replacement. File permission is preseved. Yipes!
-
-This was fixed by making ikiwiki check if the file it's writing to exists;
-if it does then it has to be a file that it's aware of creating before, or
-it will refuse to create it.
-
-Still, this sort of attack is something to keep in mind.
-
## cgi data security
When ikiwiki runs as a cgi to edit a page, it is passed the name of the
@@ -109,18 +96,33 @@ removing unallowed characters, then making sure it doesn't start with "/"
or contain ".." or "/.svn/". Annoyingly ad-hoc, this kind of code is where
security holes breed. It needs a test suite at the very least.
+## CGI::Session security
+
+I've audited this module and it is massively insecure by default. ikiwiki
+uses it in one of the few secure ways; by forcing it to write to a
+directory it controls (and not /tmp) and by setting a umask that makes the
+file not be world readable.
+
## cgi password security
Login to the wiki involves sending a password in cleartext over the net.
Cracking the password only allows editing the wiki as that user though.
If you care, you can use https, I suppose.
-## CGI::Session security
+# Fixed holes.
-I've audited this module and it is massively insecure by default. ikiwiki
-uses it in one of the few secure ways; by forcing it to write to a
-directory it controls (and not /tmp) and by setting a umask that makes the
-file not be world readable.
+## destination directory file replacement
+
+Any file in the destination directory that is a valid page filename can be
+replaced, even if it was not originally rendered from a page. For example,
+ikiwiki.cgi could be edited in the wiki, and it would write out a
+replacement. File permission is preseved. Yipes!
+
+This was fixed by making ikiwiki check if the file it's writing to exists;
+if it does then it has to be a file that it's aware of creating before, or
+it will refuse to create it.
+
+Still, this sort of attack is something to keep in mind.
## symlink attacks