• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

We don't ship this topic... but they get untold privileges... what's to stop someone registering as this group or creating this group with their usual login?

  • What is it that you are saying here? Why should we not ship this group? Why should we allow anyone to create arbitrary topics in Main?
  • Not quite a FMEA, Martin. Youv'e described the abstract attack without showing there is a vulnerability.
    First, do you mean TWikiAdminGroup? I see no SuperAdminGroup.
    Second, the ALLOWTOPICCHANGE means that only a member of that group can alter that group's membership.
  • As shipped, this simply isn't set up. That's why the setup note is there.
  • If the installer doens't set this up, leaves it as shiped, ALLOWTOPICCHNNGE commented out, then yes there is a vulnerability. But if the installer doens't complete the installation there are many things that are potential holes. It would be more constructive to develop a instllation check-list than to point to individual items that need to be done as part of the installation and declare them to be a security risk. -- AJA

Shouldn't this be a configure thing?

  • You mean like having $cfg{SuperAdminGroup} = 'TWikiAdminGroup'; ?
  • Or are you saying that the mailicious user can use configure to alter $cfg{SuperAdminGroup} to a value they can use?
    THis gets back to having a properly configured set-up once again.
    -- AJA

Thanks for the question to clarify. I mean it looks like this group is defined as a topic but I think it would be better defined as a option in configure.

-- MC


This is not a bug, it's speculation. Discarding. Please discuss on Codev and raise a bug when there is a specific proposal. CC

ItemTemplate
Summary Is SuperAdminGroup a security hole?
ReportedBy MartinCleaver
AppliesTo Engine
Priority Normal
CurrentState No Action Required
WaitingFor

Edit | Attach | Watch | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r5 - 2005-11-02 - CrawfordCurrie
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback