TWiki Security

Join the twiki-announce list to get alerts!

To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList.

How to tell the TWiki security team about potential issues

To notify the TWiki SecurityTeam about a potential security issue, just send an email to the TWikiSecurityMailingList - no need to subscribe.

TWikiSecurityAlertProcess covers how the team will respond to your issue and publish a fix for confirmed issues.

TWiki Security Alerts

Please check the TWikiSecurityAlerts - list of all security alerts, sorted by TWiki releases. The alerts are compiled automatically from the KnownIssuesOfTWiki topics.

Security Related Topics

• AllSecurityTopicsList - a list of all topics in all webs on twiki.org with "secur" in the title.
• KnownIssuesOfTWiki - lists some additional security related items.
• TWikiCodebaseSecurityAudit - discussion setting the guidelines for doing a security audit. A critical component for the next twiki release (DakarRelease).
• TaintChecking is a very old discussion but sadly relevant here... Good reason for proactive security audits.

WikiSpam Topics

WikiSpam is not a security issue, but it can reduce the usefulness of public TWiki sites - install BlackListPlugin to counter this.

External Security Resources

• Check out the slides from Jeremiah Grossman's Phishing with Superbait talk at BlackHat this year. (Courtesy of Adam Styles Blog)

Back Burner

• PasswordSecurityDiscussions - a largely philosophical discussion on the relative merits of using passwords as a security device.
• SecureSetup - some good ideas on how to 'sandbox' TWiki a bit more.
• WikiSecurityPhilosophy - musings on the principles behind "classic" wiki security and the path twiki has taken -- sometimes in concert, sometimes apart. Largely historical and in need of refactoring.