diff options
| author | Joey Hess <joey@kitenet.net> | 2007-11-26 15:30:44 -0500 |
|---|---|---|
| committer | Joey Hess <joey@kitenet.net> | 2007-11-26 15:30:44 -0500 |
| commit | e15e3202eb04048feb302b39d946f1ae1a15c306 (patch) | |
| tree | af286f69e186483a5179e97939fbc2b01fc6932c /doc/security.mdwn | |
| parent | 8df24a447d9bcae138873bc076432e6a69946d7f (diff) | |
releasing version 2.14
Diffstat (limited to 'doc/security.mdwn')
| -rw-r--r-- | doc/security.mdwn | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/doc/security.mdwn b/doc/security.mdwn index b1e8d03f6..a1c2120ce 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -315,3 +315,33 @@ This hole was discovered on 21 March 2007 and fixed the same day with the release of ikiwiki 1.47. A fix was also backported to Debian etch, as version 1.33.3. I recommend upgrading to one of these versions if your wiki can be edited by third parties. + +## insufficient checking for symlinks in srcdir path + +Ikiwiki did not check if path to the srcdir to contained a symlink. If an +attacker had commit access to the directories in the path, they could +change it to a symlink, causing ikiwiki to read and publish files that were +not intended to be published. (But not write to them due to other checks.) + +In most configurations, this is not exploitable, because the srcdir is +checked out of revision control, but the directories leading up to it are +not. Or, the srcdir is a single subdirectory of a project in revision +control (ie, `ikiwiki/doc`), and if the subdirectory were a symlink, +ikiwiki would still typically not follow it. + +There are at least two configurations where this is exploitable: + +* If the srcdir is a deeper subdirectory of a project. For example if it is + `project/foo/doc`, an an attacker can replace `foo` with a symlink to a + directory containing a `doc` directory (not a symlink), then ikiwiki + would follow the symlink. +* If the path to the srcdir in ikiwiki's configuration ended in "/", + and the srcdir is a single subdirectory of a project, (ie, + `ikiwiki/doc/`), the srcdir could be a symlink and ikiwiki would not + notice. + +This security hole was discovered on 26 November 2007 and fixed the same +da with the release of ikiwiki 2.14. I recommend upgrading to this version +if your wiki can be committed to by third parties. Alternatively, don't use +a trailing slash in the srcdir, and avoid the (unusual) configurations that +allow the security hole to be exploited. |