Monday, June 11, 2007

FlexWiki 2.0 Security Bug Alert

I noticed something weird on one of the wikis I’ve upgraded to FlexWiki 2.0. Even though I’d locked down a namespace to only allow authenticated users to edit, I was still seeing new topics getting created. Sure enough, when I tried it myself, I was able to create a new topic even though I wasn’t logged in. Fortunately, the problem only seems to manifest with new topics: editing of existing pages is still correctly prevented by the security provider.

 

After a bit of digging, I figured out that the problem is with the way permissions are handled for nonexistent topics. Basically, users were granted full control over nonexistent topics. The correct behavior is for nonexistent topics to be given the default permissions for the namespace, as once they are created, that’s what they’ll have (absent explicit permission statements). I’ve coded the fix and submitted it – it’s present in build 2.0.0.49 and forward.

 

Note that the fix makes the wiki secure by ensuring that unauthorized writes can't happen, but that the UI is still somewhat wanting: You're not told that the write is going to fail beforehand. I'll make that change soon. I just wanted to get a patch out to solve the underlying problem as quickly as possible.

 

If you’ve deployed FlexWiki 2.0 you should seriously consider upgrading to this latest build. Available here.

9 comments:

  1. Would that have anything to do with the flexwiki.com site being down?

    ReplyDelete
  2. Not sure - looking into it now.

    ReplyDelete
  3. OK, back up and running. Not totally sure what the issue was, although it was nothing to do with the 2.0 upgrade - www.flexwiki.com still runs FlexWiki 1.8.



    Thanks for the heads-up!

    ReplyDelete
  4. This is kind of unrelated, but is SQL support fixed in the latest build? Looks like as of now the latest is 2.0.0.52. Thanks!

    ReplyDelete
  5. Support for SQL Server was committed in 2.0.0.52 or so, but I haven't announced it yet because I'm still in the process of shaking out the bugs. That said, you're welcome to give it a spin. We should have a blessed release withing a week or so.

    ReplyDelete
  6. Hi Craig,



    I'm finally getting round to looking at FW2.0 and wanted to read up on the security features, etc. Unfortunately, it seems that flexwiki.com is down again :(



    Thanks,



    Derek.

    ReplyDelete
  7. Yep. Once again the machine is borked to the point where it needs physical intervention. And David is the only guy with access, and I can't reach him right now.



    Sorry about that.

    ReplyDelete
  8. Thanks Craig. Hopefully, David can get it back up and running soon. I've a feeling it's been down for some time actually. The latest chached pages at search.live.com are from Early July!

    ReplyDelete
  9. I'm finally getting round to looking at FW2.0 and wanted to read up on the security features, etc.

    ReplyDelete