Get Involved!
TWiki is an open source project with 10+ years of history, built by a team of volunteers from around the world, and used by millions of people in over 100 countries. The community is focusing on building the best collaboration platform for the workplace. We invite you to
get involved!
Known Issues of TWiki
TWikiSecurityAlerts reports all TWiki security advisories in one page
Known issues of
TWikiProductionReleases are tracked in a topic for each release:
--
PeterThoeny - 07 Nov 2004
Discussions
Pre-registered Admin Users
Any standard twiki distribution from xxxx through
BeijingRelease((?) please confirm!)) ships with
CoreTeam members pre-registered.This means: a) their user topics exist, b) they are members of the default
TWikiAdminGroup, c) their passwords are in the .htpasswd file and can be cracked
--
MattWilkie - 26 Nov 2004
Javascript embedded within topic contents is executed.
UsersCanPutJavascriptInTopics explores this more fully.
Note that this is really a subset, as just about any html object is treated the same way:
EmbedAnything.
--
MattWilkie - 26 Nov 2004
Silent Edits
Usually security alerts and known issues are published to warn administrators of things which hostile users can do. This known issue is to warn users of what their admins can do.
There are two administrative commands,
repRev
and
delRev
,which allow silent modification of topic contents by sidestepping the version control
system. Any admin user can use these. ( Documented in
lib/TWiki.cfg
)
The
use repRev and delRev is logged in the twiki logfile, but the nature of that use is not recorded.
Also see
HowToRollbackRevision
--
MattWilkie - 26 Nov 2004
TWikiPreferences override
%MAINWEB%.TWikiPreferences overrides all other preference topics.
However in all distributions from xxxx to
BeijingRelease(?), this topic does not exist. Therefore anybody can create this topic and thereby assume total control of the wiki.
(This can be used to good effect by the way. Put all of your local customisations in
TWikiPreferences and then when upgrading you can simply allow the
TWikiPreferences file to be overwritten.)
Full details in
SecureTWikiPreferences.
--
MattWilkie - 26 Nov 2004
hidden meta tag can be hijacked
The environment variables HTTP_EQUIV_ON_VIEW, _EDIT and _PREVIEW are embedded in the
head
block of the html page and are not user visible. These settings are not part of FINALPREFERENCES by default and therefore can be misappropriated.
I'm not sure how much myschief could be done, but this one is kind of neat when it works (only for IE users):
Plugins and skins, like
SeeSkin with it's INLINESTYLE, which use preferences in the
head
section are also susceptiple.
--
AntonAylward (by email) - 26 Nov 2004
Related:
RefreshAsSecurityProblem
Meta note: I put all of these in the general known issues topic because I either don't know for sure at which point the issues were fixed, or they are outstanding for all versions of twiki.
--
MattWilkie - 26 Nov 2004