Swank Wiki
Recently Visited

Swank v0.04.04

Type: task
Description: Security Audit
Status: In Progress
Priority: 1
Assigned:

Notes

Need to validate, document, test, and enforce security procedures.

Integrity:

perl code can do anything, so access to change it must be carefully restricted

  • OK only admins can edit or write pages with perl code
    • attack vectors: Storage::write, RawUtil::upload
      Storage::write secured by Security::write
      RawUtil::upload --- raw files must be served back raw (raw files only allowed in designated "raw" directories)
  • OK no way to get perl code in without being admin (attachments are tricky)
  • cannot change authentication credentials (without admin access)

other attack vectors

  • OK no one can access files outside document root (all filenames are validated by Swank::Storage::_validfilename)
  • (non-perl) code should not have access to page->meta
  • OK attachments should never be able to execute any kind of code
    • RawUtils::upload -- only upload raw files to "raw" directories
    • Storage::read -- do not read from "raw" directories (tainted)
    • "raw" directories are /images and */attach/
    • make sure rename cannot change directories
  • { { safe inclusions } } need audited; things like io.* and sys.* may not be safe

Confidentiality:

There should be a way to mark pages confidential/private, and control access (per top_action at least, maybe other access as well)

Availability:

endless loops should not be possible (or should be detected and stopped)

Authentication:

  • should not be possible to login without valid password, or to change passwords without proper access.
  • user records should be safe from other users?

Spam & Abuse

  • (done) added robots:nofollow,noindex meta tag to history pages
  • Plugin: block ip-addr/user with an expiry time (options: e.g. page, full site, anonymous users only, account creation disabled)  (ip blocker implemented as a group)
  • XSS attacks, e.g.  javascript sending user to another site
  • io.tag could be dangerous, and is accessible from { { tags } }

Task-46 is for update notifications, which will help detect abuse.

John Williams - 14 Nov 2008 02:07pm

Debugging... (on Task-43)

(FIXED) delete action currently broken by filename check

John Williams - 28 Nov 2008 09:13pm

Committed (on Task-43)

committed r173, including

filename checks: no one can get access above document root

is_raw checks: attachments and pages are mutually exclusive

only admin can write pages with perl code


Document last modified: 08 Jun 2009 09:50pm