Security Audit: Visible Lib Directories
 Please join thetwiki-announce list: |
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList |
|---|
Vulnerable Software Version
Any TWiki site with non-standard TWiki setup and Apache configuration might be vulnerable.Impact if Exposed
The TWiki configuration file and TWiki source code might be viewable with a web browser, which exposes more details than necessary from a security point of view.Details
If you followed the TWiki installation steps as described in TWikiInstallationGuide you should be OK. However, any non-standard TWiki installation should be checked carefully to see if the lib directory is not exposed by http. Directoriestwiki/data, twiki/lib, twiki/templates and all their subdirectories and the files they include should be configured in your Apache server so that they are not visible through URLs.
To check your site:
- Test your site if
/lib/TWiki.cfgis available via the web, by simply browsing to it.
Hint: If you are curiuos as to where the libdirectory is located, it is usually on the same directory level as thepubdirectory. Have a look at the images on your wiki to find out which one that is, as they are usually stored below thepubdirectory. Of course, the easiest way to find the correct URL is to look how the files are located on your server (and taking in account the instructions you set in httpd.conf - especially theAliassetting). - Test your site if
lib/TWikiis exposed as a URL. Try a Google search on your site,
http://www.google.com/search?q=allinurl:lib/TWiki+site:example.org
(replaceexample.orgwith your site)
Countermeasures
Fix Alias and Directory settings in the Apache configuration file(s).- In the Apache configuration file(s) for TWiki pay special attention to the Alias, Directory[Match], Files[Match] and Location[Match] instructions.
- Read the Apache documentation for release 1.3, 2.0 or 2.1 on the order these instructions are applied in.
- Apply fixes.
- Retest your site.
Authors and Credits
- Credit to Moritz Naumann (http://www.moritz-naumann.com/) for disclosing the issue to the twiki-security@listsPLEASENOSPAM.sourceforge.net mailing list
- TWiki:Main.CrawfordCurrie and TWiki:Main.PeterThoeny for investigating the issue and for creating the security audit
Action Plan with Timeline
| # | Action | Date/ Deadline | Status | Who |
|---|---|---|---|---|
| 1. | User discloses issue to TWikiSecurityMailingList | 2005-09-18 | Done | MoritzNaumann |
| 2. | Investigate issue | 2005-09-20 | Done | CrawfordCurrie |
| 3. | Publish advisory in Codev web | 2005-09-27 evening PDT | Done | PeterThoeny |
| 4. | Send alert to TWikiAnnounceMailingList and TWikiDevMailingList (as part of SecurityAlertExecuteCommandsWithInclude advisory) | 2005-09-27 evening PDT | Done | PeterThoeny |
| 5. | Extended advisory in Codev web | 2005-09-28 noon UTC | Done | MoritzNaumann |
-- Moritz Naumann - 28 Sep 2005
Discussions
Topic revision: r4 - 2009-11-06 - PeterThoeny
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Lima Release
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.