Security Audit: Incorrect Documentation of Permission Settings with empty Values
 Please join the
twiki-announce list: |
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList |
This is an advisory for TWiki site administrators to check their TWiki installation to make sure the access permission settings are set properly.
Software Version with Incorrect Documentation
The
TWikiAccessControl documentation of the following TWiki releases describe ALLOW/DENY settings that do not match the actual implementation:
Impact if ALLOW/DENY Settings are not set Properly
- Users might not be able to access content they are entitled to see/change.
- Users might be granted access to content they are not entitled to see/change.
Severity Level
The TWiki
SecurityTeam triaged this issue as documented in
TWikiSecurityAlertProcess and assigned the following severity level:
- Severity 3 issue: TWiki content or browser is compromised.
Details are in the
#twiki-st IRC log, 2007-02-18.
Details
As documented in
TWikiAccessControl, ALLOW/DENY settings can be used in the site preferences, web preferences and topics to control view, change and rename access rights. TWiki Releases 4.0 and 4.1 have an incorrect documentation of empty settings, such as:
As implemented in all TWiki versions, an empty setting is identical to no setting. However, the TWikiAccessControl topic of TWiki TWiki Releases 4.0 and 4.1 states that an empty ALLOWTOPICVIEW/CHANGE/RENAME setting
denies access to everyone except admins, which does not match the actual implementation.
The following section is the proper documentation of the ALLOW/DENY settings, with indication of
deleted text and
added text.
How TWiki evaluates ALLOW/DENY settings
When deciding whether to grant access, TWiki evaluates the following rules in order (read from the top of the list; if the logic arrives at
PERMITTED or
DENIED that applies immediately and no more rules are applied). You need to read the rules bearing in mind that VIEW and CHANGE access may be granted/denied separately.
- If the user is a super-user
- If DENYTOPIC is set to a list of wikinames
- people in the list will be DENIED.
- If DENYTOPIC is set to empty ( i.e. Set DENYTOPIC = )
- access is PERMITTED i.e no-one is denied access to this topic
- If ALLOWTOPIC is set
- people in the list are PERMITTED
- everyone else is DENIED
-
Note that this means that setting ALLOWTOPIC to empty denies access to everyone except admins (unless DENYTOPIC is also set to empty, as described above)
- If DENYWEB is set to a list of wikiname
- people in the list are DENIED access
- If ALLOWWEB is set to a list of wikinames
- people in the list will be PERMITTED
- everyone else will be DENIED
-
Note that setting ALLOWWEB to empty denies access to everyone except admins
- If you got this far, access is PERMITTED
Note: ALLOW and DENY have inconsistent interpretations of an empty value. This is due to an undetected bug which should be fixed in a future release.
Countermeasures
Please take the time to check your TWiki installation if your empty preferences settings are set properly. To find all preferences settings with empty values, do a
WebSearchAdvanced search in all webs with regular expressions enabled, searching for:
Set *(ALLOW|DENY)(WEB|TOPIC)(VIEW|CHANGE|RENAME) *= *$
Authors and Credits
Action Plan with Timeline
--
Contributors: PeterThoeny.
CrawfordCurrie
Discussion
I corrected the advisory. Only ALLOW is affected, not DENY.
--
CrawfordCurrie - 20 Feb 2007
for disclosing the issue to the twiki-security mailing list
txt 
Edit | Attach | 
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Lima Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.