Tags:
security1Add my vote for this tag create new tag
, view all tags

Security Audit: Visible Lib Directories

ALERT! Please join the
twiki-announce list:
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This is an advisory for TWiki site administrators to check their TWiki installation to make sure the lib directories are not visible over http.

Vulnerable Software Version

Any TWiki site with non-standard TWiki setup and Apache configuration might be vulnerable.

Impact if Exposed

The TWiki configuration file and TWiki source code might be viewable with a web browser, which exposes more details than necessary from a security point of view.

Details

If you followed the TWiki installation steps as described in TWikiInstallationGuide you should be OK. However, any non-standard TWiki installation should be checked carefully to see if the lib directory is not exposed by http. Directories twiki/data, twiki/lib, twiki/templates and all their subdirectories and the files they include should be configured in your Apache server so that they are not visible through URLs.

To check your site:

  1. Test your site if /lib/TWiki.cfg is available via the web, by simply browsing to it.
    IDEA! Hint: If you are curiuos as to where the lib directory is located, it is usually on the same directory level as the pub directory. Have a look at the images on your wiki to find out which one that is, as they are usually stored below the pub directory. Of course, the easiest way to find the correct URL is to look how the files are located on your server (and taking in account the instructions you set in httpd.conf - especially the Alias setting).
  2. Test your site if lib/TWiki is exposed as a URL. Try a Google search on your site,
    http://www.google.com/search?q=allinurl:lib/TWiki+site:example.org
    (replace example.org with your site)

Countermeasures

Fix Alias and Directory settings in the Apache configuration file(s).

  1. In the Apache configuration file(s) for TWiki pay special attention to the Alias, Directory[Match], Files[Match] and Location[Match] instructions.
  2. Read the Apache documentation for release 1.3, 2.0 or 2.1 on the order these instructions are applied in.
  3. Apply fixes.
  4. Retest your site.

FIXME: More detailed instructions.

Authors and Credits

Action Plan with Timeline

# Action Date/ Deadline Status Who
1. User discloses issue to TWikiSecurityMailingList 2005-09-18 Done MoritzNaumann
2. Investigate issue 2005-09-20 Done CrawfordCurrie
3. Publish advisory in Codev web 2005-09-27 evening PDT Done PeterThoeny
4. Send alert to TWikiAnnounceMailingList and TWikiDevMailingList (as part of SecurityAlertExecuteCommandsWithInclude advisory) 2005-09-27 evening PDT Done PeterThoeny
5. Extended advisory in Codev web 2005-09-28 noon UTC Done MoritzNaumann

-- PeterThoeny - 28 Sep 2005
-- Moritz Naumann - 28 Sep 2005

Discussions

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2009-11-06 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.