Type: task
Description: Security Audit
Status: In Progress
Priority: 1
Assigned:
Notes
Need to validate, document, test, and enforce security procedures.
Integrity:
perl code can do anything, so access to change it must be carefully restricted
- OK only admins can edit or write pages with perl code
- attack vectors: Storage::write, RawUtil::upload
Storage::write secured by Security::write
RawUtil::upload --- raw files must be served back raw (raw files only allowed in designated "raw" directories)
- OK no way to get perl code in without being admin (attachments are tricky)
- cannot change authentication credentials (without admin access)
other attack vectors
- OK no one can access files outside document root (all filenames are validated by Swank::Storage::_validfilename)
- (non-perl) code should not have access to page->meta
- OK attachments should never be able to execute any kind of code
- RawUtils::upload -- only upload raw files to "raw" directories
- Storage::read -- do not read from "raw" directories (tainted)
- "raw" directories are /images and */attach/
- make sure rename cannot change directories
- { { safe inclusions } } need audited; things like io.* and sys.* may not be safe
Confidentiality:
There should be a way to mark pages confidential/private, and control access (per top_action at least, maybe other access as well)
Availability:
endless loops should not be possible (or should be detected and stopped)
Authentication:
- should not be possible to login without valid password, or to change passwords without proper access.
- user records should be safe from other users?
Spam & Abuse
- (done) added robots:nofollow,noindex meta tag to history pages
- Plugin: block ip-addr/user with an expiry time (options: e.g. page, full site, anonymous users only, account creation disabled) (ip blocker implemented as a group)
- XSS attacks, e.g. javascript sending user to another site
- io.tag could be dangerous, and is accessible from { { tags } }
Task-46 is for update notifications, which will help detect abuse.
|
Debugging... (on Task-43)
(FIXED) delete action currently broken by filename check
Committed (on Task-43)
committed r173, including
filename checks: no one can get access above document root
is_raw checks: attachments and pages are mutually exclusive
only admin can write pages with perl code