This issue has been discussed on codev before but it seems to be ignored.
Now that we are 1 week from release we need to take some form of action.
The issue is only present when TWiki is used in a setup where TWiki can initiate a reset of password. If you run a corporate site with for example LDAP authentication where passwords are managed outside of TWiki you can ignore this issues.
First the issue.
User topics in the Main web are normally not write protected. Anyone can edit another users home topic. We can easily stop this for new users by changing the new user template. But when you migrate from Athens, Beijing or Cairo to Dakar we have a real stinker issue. All the user topic contain the email address of the user. And the default in Athens-Cairo was that users topics were editable by anyone. So many wikis have 1000s of user topics that are unprotected and will be writable also after an upgrade to Dakar.
Here is the hackers guide to hi-jacking an account.
- First check if TWikiGuest has write access to user topics. If this is the case skip next step.
- Register on TWiki with some foney name and some Yahoo or Hotmail email address that you intend to abbandon afterwards. Complete the registration by entering your activation code that you received by email.
- Open the user topic of your victim. Pick someone that has not used their account for a long time. Avoid regular users (those that are authors of recent TWiki topics). If one of the members of TWikiAdminGroup has his topic editable he is a real sucker that deserves to be hijacked just for the fun of it.
- Change the email address of the User topic you want to hi-jack to the your hotmail/yahoo email address.
- Go to ResetPassword and enter the account you want to hi-jack.
- Receive the autogenerated password in your email in-box
- Change the password on the TWiki site for the hi-jacked user.
- Go ahead and have fun
- If you was able to hijack an admins account have even more fun.
It is too easy. And so very obvious. We cannot ship Dakar with such an open security hole.
It is not possible to setup the general access rules of the Main web so that the user can only edit his own home topic. You have to do this on each user topic and you have to set it to the name of the topic. So each user topic must have a unique access rule. e.g. Set ALLOWTOPICCHANGE = JoeBlow
. With 100s, maybe 1000s and in some cases like Twiki.org 10000s of topics it is close to impossible to do this manually. It would take between a week and forever.
There is also the issue that many (Peter Thoeny is one) thinks editable user topics is an important part of wikiness. As Dakar is implemented today we will have to sacrifice this - at least for the time being.
Solutions (can be one or more of them)
- Make an upgrade script which will convert all user topics so that the ALLOWTOPICCHANGE gets set to the same name as the name of the topic and only for topics that are referenced in TWikiUsers.
- Make a feature in the edit that only allows the user himself to edit a topic which is linked to from TWikiUsers (and admins). This can be disabled by configure for LDAP authenticated sites where this is not necessary but is on by default.
- Remove the Reset Password feature from Dakar. That would be bad because then the whole new featureset of registration goes in the toilet. And then what is left of features in Dakar? WYSIWYG is deferred also.
- Get the email address off the users topic and into a special file with a user interface to view and edit it where only the user and the admins can see the email address. This will also prevent email harvesters from seeing the email addresses. The way we protect people's email addresses against spamming is weak and irresponsible. With the new registration scheme we can not even let people use foney email addresses.
for an alternative approach.
Added script to process existing personal topics and scrape emails into the secret DB added in Item1461