extract_doc1Add my vote for this tag security1Add my vote for this tag create new tag
, view all tags

Security audit: TWiki Preferences need to be secured properly

This is a alert for site owners to check their ALLOWTOPICRENAME and FINALPREFERENCES settings in their TWiki's TWikiPreferences and WebPreferences.

  • Sites that allow anyone to rename topics should set the ALLOWTOPICRENAME setting in all preferences topics to prevent a user from renaming the preferences topic and recreating their preferred preferences
  • At each level you can prevent a lower level from overloading a setting by listing them in the FINALPREFERENCES

TWiki has three documented (and one undocumented) level of preferences settings:

  1. Site-level settings in TWiki.TWikiPreferences
  2. Secondary site-level settings in Main.TWikiPreferences
  3. Web-level settings in WebPreferences of any web
  4. User-level settings in user's home pages, like TWikiGuest

Please take the time to check if your site is secure:

  • TWiki.TWikiPreferences topic:
    • Make sure that nobody can rename the topic. Set the ALLOWTOPICRENAME to:
        * Set ALLOWTOPICRENAME = %MAINWEB%.TWikiAdminGroup
    • Make sure the FINALPREFERENCES setting lists all settings you do not want to have redefined at a lower level

     The site-level preferences are located in [[%TWIKIWEB%.%TOPIC%]]
        * Set ALLOWTOPICCHANGE = %MAINWEB%.TWikiAdminGroup
        * Set ALLOWTOPICRENAME = %MAINWEB%.TWikiAdminGroup

  • WebPreferences topics in each webs (including _default web):
    • Make sure the ALLOWTOPICRENAME setting lists the %MAINWEB%.TWikiAdminGroup
    • Make sure the FINALPREFERENCES setting lists all settings you do not want to have redefined at the user level

-- PeterThoeny - 18 Dec 2003

This vulnerability of the undocumented second level site-preferences has been reported by MS via e-mail.

-- PeterThoeny - 18 Dec 2003

I also noted that once %MAINWEB%.TWikiPreferences has been secure correctly that this is a positive piece of functionlity. If you ensure that %TWIKIWEB%.TWikiPreferences is locked and never changed ever , and set local settings - including FINALPREFERENCES in %MAINWEB%.TWikiPreferences then upgrades become significantly simpler.

(I was looking to implement local and system separation, and came across the undocumented feature. I think more work is needed for local and system separation, but the undocumented code is a very good start.)

Meta: Do you want me to move this comment to somewhere else - ala the last security issue?

-- MS - 20 Dec 2003

Follow-up in SeparateTWikiSystemAndSitePreferences

-- PeterThoeny - 22 Dec 2003

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2004-09-17 - PeterThoeny
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2015 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.