TWiki Security for Public Sites

Overview

The purpose of this topic is to list recommended practices to help assure security (or at least minimize risk) of using TWiki in public web sites. This was prompted in the aftermath of SecurityAlertExecuteCommandsWithSearch and follow-up discussions regarding potential vulnerabilities of TWiki used in public sites.

Recommended Actions/Practices:

• Install fix described in SecurityAlertExecuteCommandsWithSearch if you are using a version older then TWikiRelease02Sep2004
• Stay current with TWikiSecurityAlerts by subscribing to TWikiAnnounceMailingList. (duh!)
• Don't place the data directory under apache document root.

Contributors:

• LynnwoodBrown - 30 Nov 2004

Discussion & Comments

Resources:

• Penetration Testing http://www.blackhat.com/presentations/bh-usa-01/IvanAcre/bh-usa-01-Ivan-Arce.ppt
• PWC Security Framework http://www.masoftware.org/download/verweij11-09.ppt

-- MartinCleaver - 01 Dec 2004

• Improving Web Application Security http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/threatcounter.asp

-- MartinCleaver - 01 Dec 2004

This should probably be merged with SecureSetup. Also, I don't think the emphasis on public sites is particularly useful - this could be applicable to intranet TWikis, since an internal machine might be compromised as a launching pad for an attack on a TWiki.

How about calling this SecureDeployment? or something?

-- RichardDonkin - 05 Dec 2004