Known Issues of TWiki

TWikiSecurityAlerts reports all TWiki security advisories in one page

Known issues of TWikiProductionReleases are tracked in a topic for each release:

• KnownIssuesOfTWiki04x02: Known Issues of TWiki 4.2.x Production Releases
• KnownIssuesOfTWiki04x01: Known Issues of TWiki 4.1.x Production Releases
• KnownIssuesOfTWiki04x00x00: Known Issues of TWiki 4.0.x Production Releases
• KnownIssuesOfTWiki01Sep2004: Known Issues of TWiki Production Release 01-Sep-2004 - 04-Sep-2004
• KnownIssuesOfTWiki01Feb2003: Known Issues of TWiki Production Release 01-Feb-2003
• KnownIssuesOfTWiki01Dec2001: Known Issues of TWiki Production Release 01 Dec 2001
• KnownIssuesOfTWiki01Sep2001: Known Issues of TWiki Production Release 01 Sep 2001
• KnownIssuesOfTWiki01Dec2000: Known Issues of TWiki Production Release 01 Dec 2000
• KnownIssuesOfTWiki01May2000: Known Issues of TWiki Production Release 01 May 2000

-- PeterThoeny - 07 Nov 2004

Discussions

Pre-registered Admin Users

Any standard twiki distribution from xxxx through BeijingRelease((?) please confirm!)) ships with CoreTeam members pre-registered.This means: a) their user topics exist, b) they are members of the default TWikiAdminGroup, c) their passwords are in the .htpasswd file and can be cracked

-- MattWilkie - 26 Nov 2004

embedded JavaScript

Javascript embedded within topic contents is executed. UsersCanPutJavascriptInTopics explores this more fully. Note that this is really a subset, as just about any html object is treated the same way: EmbedAnything.

-- MattWilkie - 26 Nov 2004

Silent Edits

Usually security alerts and known issues are published to warn administrators of things which hostile users can do. This known issue is to warn users of what their admins can do.

There are two administrative commands, repRev and delRev ,which allow silent modification of topic contents by sidestepping the version control system. Any admin user can use these. ( Documented in lib/TWiki.cfg )

The use repRev and delRev is logged in the twiki logfile, but the nature of that use is not recorded.

Also see HowToRollbackRevision

-- MattWilkie - 26 Nov 2004

TWikiPreferences override

%MAINWEB%.TWikiPreferences overrides all other preference topics.

However in all distributions from xxxx to BeijingRelease(?), this topic does not exist. Therefore anybody can create this topic and thereby assume total control of the wiki.

(This can be used to good effect by the way. Put all of your local customisations in TWikiPreferences and then when upgrading you can simply allow the TWikiPreferences file to be overwritten.)

Full details in SecureTWikiPreferences.

-- MattWilkie - 26 Nov 2004

hidden meta tag can be hijacked

The environment variables HTTP_EQUIV_ON_VIEW, _EDIT and _PREVIEW are embedded in the head block of the html page and are not user visible. These settings are not part of FINALPREFERENCES by default and therefore can be misappropriated.

I'm not sure how much myschief could be done, but this one is kind of neat when it works (only for IE users):

• • Set HTTP_EQUIV_ON_VIEW =

Plugins and skins, like SeeSkin with it's INLINESTYLE, which use preferences in the head section are also susceptiple.

-- AntonAylward (by email) - 26 Nov 2004

Related: RefreshAsSecurityProblem

---

Meta note: I put all of these in the general known issues topic because I either don't know for sure at which point the issues were fixed, or they are outstanding for all versions of twiki.

-- MattWilkie - 26 Nov 2004