Tags:
create new tag
, view all tags

Security Audit: Incorrect Documentation of Permission Settings with empty Values

ALERT! Please join the
twiki-announce list:
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This is an advisory for TWiki site administrators to check their TWiki installation to make sure the access permission settings are set properly.

Software Version with Incorrect Documentation

The TWikiAccessControl documentation of the following TWiki releases describe ALLOW/DENY settings that do not match the actual implementation:

Impact if ALLOW/DENY Settings are not set Properly

  • Users might not be able to access content they are entitled to see/change.
  • Users might be granted access to content they are not entitled to see/change.

Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

  • Severity 3 issue: TWiki content or browser is compromised.

Details are in the #twiki-st IRC log, 2007-02-18.

Details

As documented in TWikiAccessControl, ALLOW/DENY settings can be used in the site preferences, web preferences and topics to control view, change and rename access rights. TWiki Releases 4.0 and 4.1 have an incorrect documentation of empty settings, such as:

  • Set ALLOWTOPICCHANGE =
As implemented in all TWiki versions, an empty setting is identical to no setting. However, the TWikiAccessControl topic of TWiki TWiki Releases 4.0 and 4.1 states that an empty ALLOWTOPICVIEW/CHANGE/RENAME setting denies access to everyone except admins, which does not match the actual implementation.

The following section is the proper documentation of the ALLOW/DENY settings, with indication of deleted text and added text.

How TWiki evaluates ALLOW/DENY settings

When deciding whether to grant access, TWiki evaluates the following rules in order (read from the top of the list; if the logic arrives at PERMITTED or DENIED that applies immediately and no more rules are applied). You need to read the rules bearing in mind that VIEW and CHANGE access may be granted/denied separately.

  1. If the user is a super-user
    • access is PERMITTED.
  2. If DENYTOPIC is set to a list of wikinames
    • people in the list will be DENIED.
  3. If DENYTOPIC is set to empty ( i.e. Set DENYTOPIC = )
    • access is PERMITTED i.e no-one is denied access to this topic
  4. If ALLOWTOPIC is set
    1. people in the list are PERMITTED
    2. everyone else is DENIED
      • Note that this means that setting ALLOWTOPIC to empty denies access to everyone except admins (unless DENYTOPIC is also set to empty, as described above)
  5. If DENYWEB is set to a list of wikiname
    • people in the list are DENIED access
  6. If ALLOWWEB is set to a list of wikinames
    • people in the list will be PERMITTED
    • everyone else will be DENIED
      • Note that setting ALLOWWEB to empty denies access to everyone except admins
  7. If you got this far, access is PERMITTED

Note: ALLOW and DENY have inconsistent interpretations of an empty value. This is due to an undetected bug which should be fixed in a future release.

Countermeasures

Please take the time to check your TWiki installation if your empty preferences settings are set properly. To find all preferences settings with empty values, do a WebSearchAdvanced search in all webs with regular expressions enabled, searching for:

Set *(ALLOW|DENY)(WEB|TOPIC)(VIEW|CHANGE|RENAME) *= *$

Authors and Credits

Action Plan with Timeline

# Action Date Status Who
1. User discloses vulnerability to twiki-security 2007-02-16 Done CrawfordCurrie
2. Developer verifies issue 2007-02-16 Done KennethLavrsen, CrawfordCurrie
3. Security team triages issue and decides on action 2007-02-18 Done KennethLavrsen, PeterThoeny
4. Security team creates security audit 2007-02-18 Done PeterThoeny
5. Publish security audit in Codev web and update all related topics 2007-02-18 Done PeterThoeny
6. Send alert to TWikiAnnounceMailingList and TWikiDevMailingList 2007-02-19 Done PeterThoeny

-- Contributors: PeterThoeny. CrawfordCurrie

Discussion

I corrected the advisory. Only ALLOW is affected, not DENY.

-- CrawfordCurrie - 20 Feb 2007

Topic attachments
I Attachment History Action Size Date Who Comment
Texttxt twiki-st-2007-02-18.txt r1 manage 13.9 K 2007-02-19 - 07:39 PeterThoeny TWiki Security meeting at #twiki-st IRC channel, 2007-02-18
Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r2 - 2007-02-20 - CrawfordCurrie
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.