Dokuwiki Security

This page gives details how to secure the private sections of DokuWiki.

:!: Last update for version 2011-05-25a.

Create a private section

To secure some privation information, it is possible to restrict the acces to pages of folders easily using ACL :

  • Create the page and/or the folder
  • When the page is displayed, click Admin
  • Select “Access Control List Management”
  • Add the rule :
    • Select the page or folder
    • select Group “ALL”
    • select “None”
    • Click Save

This rule disable the access to the folder/page, including search and last changes.

Then you can add some limited access to specific user or groups.

Please note that the super admin has always the full access to all pages.

:!: To make the index reflect the ACL rules, you need to select the general option “sneaky_index”

Secure the root

Error messages are differents between unauthorized access and page not found, so everybody can find if a page exist.

If a namespace is hidden, to hide it completely, you need to deny the access to the root “*” then authorize public pages and namespaces manually.

For example :

page group rights
* @ALL None
start @ALL Read
sidebar @ALL Read
linux:* @ALL Read
en:* @ALL Read

How to completely hide unauthorized pages

ACLs allow to limit the access to pages, but do not hide them completely.
This section discuss about security issues I found when using private areas, solutions are also provided.

Issues are reported on the dokuwiki bug tracker here : http://bugs.dokuwiki.org/index.php?do=details&task_id=970

Demo

Demonstration of the issues with a simple wiki :

  • the “start” page has 3 links to 3 pages
  • “valid” is an existing and authorized page
  • “hidden” is an existing but unauthorized page
  • there is no page called “empty” and “empty” is also unauthorized by the ACL
  • the ACL are set to deny all except “start” and “valid”
  • “useheading” is on

Please find the screenshots :

The detail of the issues :

  • Even if the content is bloqued, it is still possible to know his title if “use_heading” is enabled.
  • The breadcrumb store visited pages only if they exist.
  • When a page has a link to other pages, they can indicate if the page exists.

Moreover, if useheasing is on, the title of the page is also displayed.

:!: Warning, the generated pages are cached, so a user can see the link as authorized if the cache content was generated for an authorized user.
To avoid this case, don't use link to private parts in the public pages, or use NOCACHE directive.

Patch: dokuwiki_2011-05-25_secu1.patch

:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki_2011-05-25_secu1.patch
patching file common.php
patching file parser/xhtml.php
:/opt/dokuwiki/inc#

Patched Demo

Once dokuwiki is patched, the demo wiki looks like that :

Patchs for previous versions

2008-05-05

Patch for version 2008-05-05: doku_hide-2008-05-05.patch

wiki:/opt/wiki# patch -p 1 < /root/doku_hide.patch
patching file inc/common.php
patching file inc/parser/xhtml.php
patching file inc/parserutils.php
patching file inc/template.php
wiki:/opt/wiki#

2009-02-14

Patch for version 2009-02-14: dokuwiki-2009-02-14_security.patch

wiki:/opt/wiki/inc# patch -p 1 < /root/doku_hide.patch
patching file common.php
patching file parser/xhtml.php
patching file parserutils.php
patching file template.php
wiki:/opt/wiki/inc#

2010-11-07

Patches for version 2010-11-07.

Displaying the title of hidden pages

Even if the content is bloqued, it is still possible to know his title if “use_heading” is enabled.

Patch : dokuwiki-2010-11-07_secu1.patch

:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu1.patch
patching file parserutils.php
:/opt/dokuwiki/inc#
The style used inside youarehere indicate if the page exists

It is possible to identify if the page exist by looking at the style used inside “youarehere” (this text is used as the upper left title of my template).

Patch : dokuwiki-2010-11-07_secu2.patch

:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu2.patch
patching file template.php
:/opt/dokuwiki/inc#
The breadcrumb indicate if the page exists

The breadcrumb store visited pages only if they exist.

Patch : dokuwiki-2010-11-07_secu3.patch

:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu3.patch
patching file common.php
:/opt/dokuwiki/inc#
The links inside the content show if the page exists and its title

When a page has a link to other pages, they can indicate if the page exists.
Moreover, if useheasing is on, the title of the page is also displayed.

Patch : dokuwiki-2010-11-07_secu4.patch

:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu4.patch
patching file parser/xhtml.php
:/opt/dokuwiki/inc#

:!: Warning, the generated pages are cached, so a user can see the link as authorized if the cache content was generated for an authorized user.
To avoid this case, don't use link to private parts in the public pages, or use NOCACHE directive.

en/linux/dokuwiki/secu.txt · Last modified: 2011/10/04 22:16 by matthieu
Recent changes RSS feed Debian Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki