[Moin-user] ACL security warning
Thomas Waldmann
tw at waldmann-edv.de
Sun Jun 22 11:12:03 EDT 2003
You can ignore this message, if:
* you are still using MoinMoin 1.0 or older
* you don't use ACLs to protect sensitive information in your wiki
If somebody is already using that ACL (Access Control List) feature of
the latest CVS versions, he should be aware that until CVS version of
NOW there was some security problem:
If you edit a page that is read-protected by "#acl
SomeBody,SomeGroup:read,..." and contains sensitive information that
only these people should be able to see, then that
moin-editor-backup.txt backup function (attaching the last
previewed/saved text to your homepage) made it available to all (except
if your homepage has similar ACLs, but that is mostly not the case).
So if you already use that feature to protect sensitive information, you
should:
* immediately upgrade to latest CVS
* delete all moin-editor-backup.txt files you find under data/pages/...
(that is maybe a good idea anyway, as these files won't be used any more)
With latest CVS, you still have an editor backup function, but that is
done (hopefully) safe now. It uses a subpage HomePage/MoinEditorBackup
(if subpages are allowed) or a page HomePageMoinEditorBackup (if no
subpages are allowed) to save the editor text. If ACLs are enabled, it
puts #acl YourName:read,write,delete on that page, so nobody else
(except people allowed by config, like admins) can read it.
Sorry for any trouble ...
Thomas
More information about the Moin-user
mailing list