Bouthors.fr » English » Linux » DokuWiki » Dokuwiki Security
Trace:
Show pageOld revisionsMedia Manager
Recent changesSitemap

Menu

Index

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

en:linux:dokuwiki:secu [2011/01/08 19:32]
matthieu [Hide that a page exist] 		en:linux:dokuwiki:secu [2011/10/04 22:16] (current)
matthieu ancienne révision restaurée
Line 2: Line 2:
 ====== Dokuwiki Security ====== ====== Dokuwiki Security ======
  
-This page gives details how to secure [[en:linux:Dokuwiki]].+This page gives details how to secure the private sections of [[en:linux:Dokuwiki]].
  
-:!: Last update for version 2010-11-07.+:!: Last update for version 2011-05-25a.
  
-===== Create a privation section =====+===== Create a private section =====
 To secure some privation information, it is possible to restrict the acces to pages of folders easily using ACL : To secure some privation information, it is possible to restrict the acces to pages of folders easily using ACL :
   * Create the page and/or the folder   * Create the page and/or the folder
Line 25: Line 25:
 :!: To make the index reflect the ACL rules, you need to select the general option "sneaky_index" :!: To make the index reflect the ACL rules, you need to select the general option "sneaky_index"
  
-===== Hide that a page exists =====+ 
 +===== Secure the root =====
 Error messages are differents between unauthorized access and page not found, so everybody can find if a page exist. Error messages are differents between unauthorized access and page not found, so everybody can find if a page exist.
  
-The workaround is to deny the access to all pages "*" then authorized plubic parts manually.+If a namespace is hidden, to hide it completely, you need to deny the access to the root "*" then authorize public pages and namespaces manually
 + 
 +For example : 
 +^ page     ^ group  ^ rights  ^ 
 +| *        | @ALL   | None    | 
 +| start    | @ALL   | Read    | 
 +| sidebar  | @ALL   | Read    | 
 +| linux:*  | @ALL   | Read    | 
 +| en:*     | @ALL   | Read    | 
 + 
 +===== How to completely hide unauthorized pages  ===== 
 +ACLs allow to limit the access to pages, but do not hide them completely.\\ 
 +This section discuss about security issues I found when using private areas, solutions are also provided
  
-===== Security issues ===== +Issues are reported on the dokuwiki bug tracker here : http://bugs.dokuwiki.org/index.php?do=details&task_id=970
-This section discuss about security issues I found when using private areas, solutions are also provided.+
  
 ==== Demo ==== ==== Demo ====
Line 52: Line 64:
 {{:linux:dokuwiki:doku_secu_1_4.png|}} {{:linux:dokuwiki:doku_secu_1_4.png|}}
  
-The detail of each issue is described bellow.+The detail of the issues : 
 +  * Even if the content is bloqued, it is still possible to know his title if "use_heading" is enabled. 
 +  * The breadcrumb store visited pages only if they exist. 
 +  * When a page has a link to other pages, they can indicate if the page exists.\\ 
 +    Moreover, if useheasing is on, the title of the page is also displayed.
  
-==== Displaying the title of hidden pages ==== +:!: Warning, the generated pages are cached, so a user can see the link as authorized if the cache content was generated for an authorized user.\\ 
-Even if the content is bloqued, it is still possible to know his title if "use_heading" is enabled+To avoid this case, don't use link to private parts in the public pages, or use NOCACHE directive.
- +
-Patch : {{dokuwiki-2010-11-07_secu1.patch|}} +
-<code> +
-:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu1.patch +
-patching file parserutils.php +
-:/opt/dokuwiki/inc# +
-</code> +
- +
- +
-==== The style used inside youarehere indicate if the page exists ==== +
-It is possible to identify if the page exist by looking at the style used inside "youarehere" (this text is used as the upper left title of my template).+
  
-Patch : {{dokuwiki-2010-11-07_secu2.patch|}}+Patch: {{:linux:dokuwiki:dokuwiki_2011-05-25_secu1.patch|}}
 <code> <code>
-:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu2.patch +:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki_2011-05-25_secu1.patch
-patching file template.php +
-:/opt/dokuwiki/inc# +
-</code> +
- +
-==== The breadcrumb indicate if the page exists ==== +
-The breadcrumb store visited pages only if they exist. +
- +
-Patch : {{dokuwiki-2010-11-07_secu3.patch|}} +
-<code> +
-:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu3.patch+
 patching file common.php patching file common.php
-:/opt/dokuwiki/inc# 
-</code> 
- 
-==== The links inside the content show if the page exists and its title ==== 
-When a page has a link to other pages, they can indicate if the page exists.\\ 
-Moreover, if useheasing is on, the title of the page is also displayed. 
- 
-Patch : {{dokuwiki-2010-11-07_secu4.patch|}} 
-<code> 
-:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu4.patch 
 patching file parser/xhtml.php patching file parser/xhtml.php
 :/opt/dokuwiki/inc# :/opt/dokuwiki/inc#
 </code> </code>
  
-:!: Warning, the generated pages are cached, so a user can see the link as authorized if the cache content was generated for an authorized user.\\ 
-To avoid this case, don't use link to private parts in the public pages, or use NOCACHE directive. 
  
 ==== Patched Demo ==== ==== Patched Demo ====
Line 109: Line 92:
 ==== Patchs for previous versions ==== ==== Patchs for previous versions ====
 === 2008-05-05 === === 2008-05-05 ===
-Patch for version 2008-05-05: {{doku_hide-2008-05-05.patch}}+Patch for version 2008-05-05: {{linux:dokuwiki:doku_hide-2008-05-05.patch}}
  
 <code> <code>
Line 122: Line 105:
  
 === 2009-02-14 === === 2009-02-14 ===
-Patch for version 2009-02-14: {{dokuwiki-2009-02-14_security.patch}}+Patch for version 2009-02-14: {{linux:dokuwiki:dokuwiki-2009-02-14_security.patch}}
  
 <code> <code>
Line 133: Line 116:
 </code> </code>
  
 +=== 2010-11-07 ===
 +Patches for version 2010-11-07.
 +== Displaying the title of hidden pages ==
 +Even if the content is bloqued, it is still possible to know his title if "use_heading" is enabled.
  
 +Patch : {{linux:dokuwiki:dokuwiki-2010-11-07_secu1.patch|}}
 +<code>
 +:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu1.patch
 +patching file parserutils.php
 +:/opt/dokuwiki/inc#
 +</code>
 +
 +
 +== The style used inside youarehere indicate if the page exists ==
 +It is possible to identify if the page exist by looking at the style used inside "youarehere" (this text is used as the upper left title of my template).
 +
 +Patch : {{linux:dokuwiki:dokuwiki-2010-11-07_secu2.patch|}}
 +<code>
 +:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu2.patch
 +patching file template.php
 +:/opt/dokuwiki/inc#
 +</code>
 +
 +== The breadcrumb indicate if the page exists ==
 +The breadcrumb store visited pages only if they exist.
 +
 +Patch : {{linux:dokuwiki:dokuwiki-2010-11-07_secu3.patch|}}
 +<code>
 +:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu3.patch
 +patching file common.php
 +:/opt/dokuwiki/inc#
 +</code>
 +
 +== The links inside the content show if the page exists and its title ==
 +When a page has a link to other pages, they can indicate if the page exists.\\
 +Moreover, if useheasing is on, the title of the page is also displayed.
 +
 +Patch : {{linux:dokuwiki:dokuwiki-2010-11-07_secu4.patch|}}
 +<code>
 +:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu4.patch
 +patching file parser/xhtml.php
 +:/opt/dokuwiki/inc#
 +</code>
 +
 +:!: Warning, the generated pages are cached, so a user can see the link as authorized if the cache content was generated for an authorized user.\\
 +To avoid this case, don't use link to private parts in the public pages, or use NOCACHE directive.
en/linux/dokuwiki/secu.1294511561.txt.gz · Last modified: 2011/01/08 19:32 by matthieu
Show pageOld revisions
BacklinksBack to top
Recent changes RSS feed Debian Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki