Security audit: TWiki Preferences need to be secured properly

This is a alert for site owners to check their ALLOWTOPICRENAME and FINALPREFERENCES settings in their TWiki's TWikiPreferences and WebPreferences.

• Sites that allow anyone to rename topics should set the ALLOWTOPICRENAME setting in all preferences topics to prevent a user from renaming the preferences topic and recreating their preferred preferences
• At each level you can prevent a lower level from overloading a setting by listing them in the FINALPREFERENCES

TWiki has three documented (and one undocumented) level of preferences settings:

1. Site-level settings in TWiki.TWikiPreferences
2. Secondary site-level settings in Main.TWikiPreferences
   • This is an undocumented feature since TWikiRelease01Feb2003
3. Web-level settings in WebPreferences of any web
4. User-level settings in user's home pages, like TWikiGuest

Please take the time to check if your site is secure:

• TWiki.TWikiPreferences topic:
  • Make sure that nobody can rename the topic. Set the ALLOWTOPICRENAME to:
      * Set ALLOWTOPICRENAME = %MAINWEB%.TWikiAdminGroup
  • Make sure the FINALPREFERENCES setting lists all settings you do not want to have redefined at a lower level

• Main.TWikiPreferences topic:
  • In the Main web, create a Main.TWikiPreferences topic and lock it down with this text:

     The site-level preferences are located in [[%TWIKIWEB%.%TOPIC%]]
        * Set ALLOWTOPICCHANGE = %MAINWEB%.TWikiAdminGroup
        * Set ALLOWTOPICRENAME = %MAINWEB%.TWikiAdminGroup

• WebPreferences topics in each webs (including _default web):
  • Make sure the ALLOWTOPICRENAME setting lists the %MAINWEB%.TWikiAdminGroup
  • Make sure the FINALPREFERENCES setting lists all settings you do not want to have redefined at the user level

-- PeterThoeny - 18 Dec 2003

This vulnerability of the undocumented second level site-preferences has been reported by MS via e-mail.

-- PeterThoeny - 18 Dec 2003

I also noted that once %MAINWEB%.TWikiPreferences has been secure correctly that this is a positive piece of functionlity. If you ensure that %TWIKIWEB%.TWikiPreferences is locked and never changed ever , and set local settings - including FINALPREFERENCES in %MAINWEB%.TWikiPreferences then upgrades become significantly simpler.

(I was looking to implement local and system separation, and came across the undocumented feature. I think more work is needed for local and system separation, but the undocumented code is a very good start.)

Meta: Do you want me to move this comment to somewhere else - ala the last security issue?

-- MS - 20 Dec 2003

Follow-up in SeparateTWikiSystemAndSitePreferences

-- PeterThoeny - 22 Dec 2003