EditWYSIWYGAttachPrintable
r4 - 17 Sep 2004 - 03:21:34 - PeterThoenyYou are here: TWiki >  Codev Web > SecureTWikiPreferences
Tags:
, create new tag

Security audit: TWiki Preferences need to be secured properly

This is a alert for site owners to check their ALLOWTOPICRENAME and FINALPREFERENCES settings in their TWiki's TWikiPreferences and WebPreferences.

  • Sites that allow anyone to rename topics should set the ALLOWTOPICRENAME setting in all preferences topics to prevent a user from renaming the preferences topic and recreating their preferred preferences
  • At each level you can prevent a lower level from overloading a setting by listing them in the FINALPREFERENCES

TWiki has three documented (and one undocumented) level of preferences settings:

  1. Site-level settings in TWiki.TWikiPreferences
  2. Secondary site-level settings in Main.TWikiPreferences
  3. Web-level settings in WebPreferences of any web
  4. User-level settings in user's home pages, like TWikiGuest

Please take the time to check if your site is secure:

  • TWiki.TWikiPreferences topic:
    • Make sure that nobody can rename the topic. Set the ALLOWTOPICRENAME to:
        * Set ALLOWTOPICRENAME = %MAINWEB%.TWikiAdminGroup
    • Make sure the FINALPREFERENCES setting lists all settings you do not want to have redefined at a lower level 

     The site-level preferences are located in [[%TWIKIWEB%.%TOPIC%]]
        * Set ALLOWTOPICCHANGE = %MAINWEB%.TWikiAdminGroup
        * Set ALLOWTOPICRENAME = %MAINWEB%.TWikiAdminGroup

  • WebPreferences topics in each webs (including _default web):
    • Make sure the ALLOWTOPICRENAME setting lists the %MAINWEB%.TWikiAdminGroup
    • Make sure the FINALPREFERENCES setting lists all settings you do not want to have redefined at the user level

-- PeterThoeny - 18 Dec 2003

This vulnerability of the undocumented second level site-preferences has been reported by MS via e-mail.

-- PeterThoeny - 18 Dec 2003

I also noted that once %MAINWEB%.TWikiPreferences has been secure correctly that this is a positive piece of functionlity. If you ensure that %TWIKIWEB%.TWikiPreferences is locked and never changed ever , and set local settings - including FINALPREFERENCES in %MAINWEB%.TWikiPreferences then upgrades become significantly simpler.

(I was looking to implement local and system separation? , and came across the undocumented feature. I think more work is needed for local and system separation? , but the undocumented code is a very good start.)

Meta: Do you want me to move this comment to somewhere else - ala the last security issue?

-- MS - 20 Dec 2003

Follow-up in SeparateTWikiSystemAndSitePreferences

-- PeterThoeny - 22 Dec 2003

WebForm
TopicClassification FeatureDocumented
TopicSummary TWiki Preferences need to be secured properly
InterestedParties

AssignedTo

AssignedToCore PeterThoeny
ScheduledFor CairoRelease
ImplementationDate N/A
RelatedTopics

SpecProgress 100%
ImplProgress 100%
DocProgress 100%
Edit | WYSIWYG | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r4 < r3 < r2 < r1 | More topic actions
 
Powered by TWiki
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback SourceForge.net Logo