Question
.Hi, I installed Twiki a few months ago and after getting it installed I showed it to a friend (online). First thing he did was showing me a security hole I wouldn't have guessed so quickly: <base http-equiv=refresh content=10 url=... Content was 0. It took every visitor to his page at once. He removed it after showing me the problem, but I don't think it is wise to allow refresh. Do you know if I can close that security hole and how? -- ArneBab - 13 May 2002Answer
Please provide some more information, enough for someone to exactly replicate this hole - the info above is not very clear. What URL was used, what was the full page HTML (attach it if possible), and did someone hand-edit a local copy? -- RichardDonkin - 14 May 2002 #das He put the phrase<meta http-equiv="refresh" content="0" url="http://www.somepage.xyz">Into the body of the page. The result was, that the visitor was taken to the named page (here: somepage.xyz) at once. You'll see a weaker form of the Problem on this page, it refreshes itself every three seconds. The code is in the line below. Removed HTML code -- ArneBab - 15 May 2002 I don't agree this is a security problem - how exactly is security broken by redirecting the user to a different page? TWiki allows HTML in pages - as long as the HTML doesn't cause a browser security issue, there is no problem. If there is such a security issue, that's something that should be fixed in the browser. Like all Wikis, TWiki relies on SoftSecurity - as long as you disable the guest account, and perhaps add approval of registrations, you will know exactly who added the HTML that caused a problem. -- RichardDonkin - 16 May 2002 > "I now see it, thank you! I will let my old answer standing down there, so everyone can see what has been solved. Thanks!"
> "I realized render a as b would be too dangerous, because the site-owner could too easily manipulate comments as it fits him/her, thus perverting the wiki-idea. As last resort I can use the CensorPlugin or SmiliesPlugin."
-- ArneBab - 20 May 2002 I think it should be possible to disable certain html-tags, because this tag could take you to pages you never wanted to visit. Twiki itself is quite capable to alow you to change the site itself instead of sending you to another one, but if I want a page open to anyone and someone inserts the refresher to take all visitors to hsi page, but without delay, you might not be able to change it back. Most Users don't know how to disable the refresher, so I should be able it in the twiki prefs. So I'd need something like the option "render html-tag a as html tag b". For example all http-equiv="refresh" tags could be changes so, that the time is increased by 3 seconds. Still you could Use the refresher, but you couldn't write a refresher which is that hard to stop. As an Example I'll write a page, which takes you back here at once. If you have a standard browser it can be quite hard to undo the refresher. ShowRefresherTest In my new browser-settings that isn't that hard, but with the old ones it began to display the new page as soon as a document was requested, so I couldn't change the refresher back. -- ArneBab - 16 May 2002 One simple suggestion: I use adsubtract
- a tool to filter out ads from your browser. When it sees a refresh tag it replaces it with a simple 'autorefresh' HTML link.
-- MattWalsh - 21 May 2002
FYI, Mozilla 1.8a4 refreshes ShowRefresherTest over and over, so I guess it honors the meta tag in body. But it doesn't redirect back here.
-- KennethPorter - 30 Nov 2004 
Topic revision: r9 - 2004-11-30 - KennethPorter
Site map
Blog web
Search
Changes
RSS Feed
Notifications
Statistics
Preferences
Register new user
Support Forum 
Ask a question
Open questions 
My recent questions
Get quick help in #twiki IRC channel
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.