diff options
author | Simon McVittie <smcv@debian.org> | 2019-02-10 16:56:41 +0000 |
---|---|---|
committer | Simon McVittie <smcv@debian.org> | 2019-02-26 22:21:31 +0000 |
commit | 9a275b2f1846d7268c71a740975447e269383849 (patch) | |
tree | 0c832065045c67438ede85f237b93f77b74ecd2b /doc/security.mdwn | |
parent | d283e4ca1aeb6ca8cc0951c8495f778071076013 (diff) | |
download | ikiwiki-9a275b2f1846d7268c71a740975447e269383849.tar ikiwiki-9a275b2f1846d7268c71a740975447e269383849.tar.gz |
doc: Document security issues involving LWP::UserAgent
Recommend the LWPx::ParanoidAgent module where appropriate.
It is particularly important for openid, since unauthenticated users
can control which URLs that plugin will contact. Conversely, it is
non-critical for blogspam, since the URL to be contacted is under
the wiki administrator's control.
Signed-off-by: Simon McVittie <smcv@debian.org>
Diffstat (limited to 'doc/security.mdwn')
-rw-r--r-- | doc/security.mdwn | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/doc/security.mdwn b/doc/security.mdwn index e7770dd27..378a2e4bc 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -611,3 +611,52 @@ This was fixed in ikiwiki 3.20170111, with fixes backported to Debian 8 in version 3.20141016.4. ([[!debcve CVE-2017-0356]]/OVE-20170111-0001) + +## Server-side request forgery via aggregate plugin + +The ikiwiki maintainers discovered that the [[plugins/aggregate]] plugin +did not use [[!cpan LWPx::ParanoidAgent]]. On sites where the +aggregate plugin is enabled, authorized wiki editors could tell ikiwiki +to fetch potentially undesired URIs even if LWPx::ParanoidAgent was +installed: + +* local files via `file:` URIs +* other URI schemes that might be misused by attackers, such as `gopher:` +* hosts that resolve to loopback IP addresses (127.x.x.x) +* hosts that resolve to RFC 1918 IP addresses (192.168.x.x etc.) + +This could be used by an attacker to publish information that should not have +been accessible, cause denial of service by requesting "tarpit" URIs that are +slow to respond, or cause undesired side-effects if local web servers implement +["unsafe"](https://tools.ietf.org/html/rfc7231#section-4.2.1) GET requests. +([[!debcve CVE-2019-9187]]) + +Additionally, if the LWPx::ParanoidAgent module was not installed, the +[[plugins/blogspam]], [[plugins/openid]] and [[plugins/pinger]] plugins +would fall back to [[!cpan LWP]], which is susceptible to similar attacks. +This is unlikely to be a practical problem for the blogspam plugin because +the URL it requests is under the control of the wiki administrator, but +the openid plugin can request URLs controlled by unauthenticated remote +users, and the pinger plugin can request URLs controlled by authorized +wiki editors. + +This is addressed in ikiwiki 3.20190228 as follows, with the same fixes +backported to Debian 9 in version 3.20170111.1: + +* URI schemes other than `http:` and `https:` are not accepted, preventing + access to `file:`, `gopher:`, etc. + +* If a proxy is [[configured in the ikiwiki setup file|tips/using_a_proxy]], + it is used for all outgoing `http:` and `https:` requests. In this case + the proxy is responsible for blocking any requests that are undesired, + including loopback or RFC 1918 addresses. + +* If a proxy is not configured, and LWPx::ParanoidAgent is installed, + it will be used. This prevents loopback and RFC 1918 IP addresses, and + sets a timeout to avoid denial of service via "tarpit" URIs. + +* Otherwise, the ordinary LWP user-agent will be used. This allows requests + to loopback and RFC 1918 IP addresses, and has less robust timeout + behaviour. We are not treating this as a vulnerability: if this + behaviour is not acceptable for your site, please make sure to install + LWPx::ParanoidAgent or disable the affected plugins. |