Tags:
bugs2Add my vote for this tag create new tag
view all tags
Get Involved!
TWiki is an open source project with 10+ years of history, built by a team of volunteers from around the world, and used by millions of people in over 100 countries. The community is focusing on building the best collaboration platform for the workplace. We invite you to get involved!

Known Issues of TWiki

ALERT! TWikiSecurityAlerts reports all TWiki security advisories in one page

Known issues of TWikiProductionReleases are tracked in a topic for each release:

-- PeterThoeny - 07 Nov 2004

Discussions

Pre-registered Admin Users

Any standard twiki distribution from xxxx through BeijingRelease((?) please confirm!)) ships with CoreTeam members pre-registered.This means: a) their user topics exist, b) they are members of the default TWikiAdminGroup, c) their passwords are in the .htpasswd file and can be cracked

-- MattWilkie - 26 Nov 2004

embedded JavaScript

Javascript embedded within topic contents is executed. UsersCanPutJavascriptInTopics explores this more fully. Note that this is really a subset, as just about any html object is treated the same way: EmbedAnything.

-- MattWilkie - 26 Nov 2004

Silent Edits

Usually security alerts and known issues are published to warn administrators of things which hostile users can do. This known issue is to warn users of what their admins can do.

There are two administrative commands, repRev and delRev ,which allow silent modification of topic contents by sidestepping the version control system. Any admin user can use these. ( Documented in lib/TWiki.cfg )

The use repRev and delRev is logged in the twiki logfile, but the nature of that use is not recorded.

Also see HowToRollbackRevision

-- MattWilkie - 26 Nov 2004

TWikiPreferences override

%MAINWEB%.TWikiPreferences overrides all other preference topics.

However in all distributions from xxxx to BeijingRelease(?), this topic does not exist. Therefore anybody can create this topic and thereby assume total control of the wiki.

(This can be used to good effect by the way. Put all of your local customisations in TWikiPreferences and then when upgrading you can simply allow the TWikiPreferences file to be overwritten.)

Full details in SecureTWikiPreferences.

-- MattWilkie - 26 Nov 2004

hidden meta tag can be hijacked

The environment variables HTTP_EQUIV_ON_VIEW, _EDIT and _PREVIEW are embedded in the head block of the html page and are not user visible. These settings are not part of FINALPREFERENCES by default and therefore can be misappropriated.

I'm not sure how much myschief could be done, but this one is kind of neat when it works (only for IE users):

    • Set HTTP_EQUIV_ON_VIEW =

Plugins and skins, like SeeSkin with it's INLINESTYLE, which use preferences in the head section are also susceptiple.

-- AntonAylward (by email) - 26 Nov 2004

Related: RefreshAsSecurityProblem


Meta note: I put all of these in the general known issues topic because I either don't know for sure at which point the issues were fixed, or they are outstanding for all versions of twiki.

-- MattWilkie - 26 Nov 2004

Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r6 - 2011-06-16 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.