• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use
Item7848 for generic doc work for TWiki-6.1.1. Use Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
• Does this site look broken?. Use the LitterTray web for test cases.
• Use
Item7848 for generic doc work for TWiki-6.1.1. Use Item7851 for doc work on extensions that are not part of a release. More... Close • Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
• Does this site look broken?. Use the LitterTray web for test cases.
Item6246: Security: twiki root directory should not be exposed as html doc root
Item Form Data
| AppliesTo: | Component: | Priority: | CurrentState: | WaitingFor: | TargetRelease | ReleasedIn |
|---|---|---|---|---|---|---|
| Engine | Enhancement | Closed | minor | 5.0.0 |
Edit Form Data
Detail
Currently, the twiki root is configured as an html doc root in Apache's twiki.conf. For secturity, sub directories need to be excluded explicitly, such as twiki/data. If an admin adds a new subdir (such as when installing an extension) that dir needs to be excluded as well. This is easy to forget.
It is much safer to not expose the twiki root as html doc. Only twiki/pub needs to be html doc root enabled, and twiki/bin needs to be cgi-bin enabled.
While at it, we should clean up the twiki root dir, and make it easier to install TWiki.
To do: 
-- TWiki:Main/PeterThoeny - 10 Apr 2009
- 26 Oct 2009
- update twiki.conf
- update installation docs and upgrade doc
- update release notes
- update apache config generator on twiki.org
- replace .html docs in twiki root with .txt version (move to subdir?)
-- TWiki:Main/PeterThoeny - 10 Apr 2009
- Updated
twiki/twiki_httpd_conf.txt - No need to update installation and upgrade docs
- No needs to update release notes
- Updated TWiki:TWiki/ApacheConfigGenerator
- 26 Oct 2009
| ItemTemplate | |
|---|---|
| Summary | Security: twiki root directory should not be exposed as html doc root |
| ReportedBy |
TWiki:Main.PeterThoeny
|
| Codebase | 4.3.0, ~twiki4 |
| SVN Range | TWiki-5.0.0, Thu, 09 Apr 2009, build 17970 |
| AppliesTo | Engine |
| Component | |
| Priority | Enhancement |
| CurrentState | Closed |
| WaitingFor | |
| Checkins |
TWikirev:18189 TWikirev:18190 TWikirev:18844 TWikirev:18845
|
| TargetRelease | minor |
| ReleasedIn | 5.0.0 |
Topic revision: r6 - 2010-05-31 - PeterThoeny
Site map
Bugs web
Create New Report
Index
Search
Detailed Items Query
Changes
100
Notifications
RSS Feed
Statistics
Preferences
Bugs 
Items by urgency
My Reports
Recently Closed
Extensions
By Status 
Waiting for Feedback
Confirmed
Being Worked On
Waiting for Release
No Action Required
Lima 
Fixes for Rel.Notes
Create Feature Request
Account 
Copyright © 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback