From: Peter T. <pet...@at...> - 2005-02-24 08:31:40
|
Dear Kenneth, we have been learning and adjusting our processes. Before it was just me who was jumpting on a security issue to provide a fix and to alert the community. In the last two cases it happended within 24 hours, each: http://twiki.org/cgi-bin/view/Codev/NoShellCharacterEscapingInFileAttachComment http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch After the SecurityAlertExecuteCommandsWithSearch issue we defined a security team and refined the process as described in http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess We failed on acting quickly enough on the ImageGalleryPlugin security issue. We will review our process further and make adjustments so that we can act more quickly also for non-core code. Thanks for the feedback, regards, Peter Kenneth Lavrsen wrote: > > > > >The patch depends on the TWiki robustness patch. Some configuration > >changes are required (as explained on the web page). > > > >Vulnerability timeline (for the ImageGalleryPlugin issue): > > > > 2004-11-27 bug discovered and disclosed to the TWiki core developers > > 2004-11-29 sent patch to the TWiki core developers > > 2004-11-30 sent bug notice and patch to the plugin author > > 2004-12-26 sent reminder (and patch) to the TWiki security team > > 2005-02-17 sent second reminder, pending disclosure (no reply) > > 2005-02-23 uncoordinated public disclosure > > Dear core team and especially dear Peter. > If this above is true, then you have learned nothing from the previous > major security issue. > > It seems clear that the security alert system does not work. > I joined the development and security mailing lists believing that I would > be warned about security issues. In the case of this plugin - even without > having a fix - at least people could uninstall the plugin until a fix is > available. But not if reports are kept secret from us or maybe plain ignored. > Even if the major exploit is found in a plugin made by someone - you still > have the duty to at least issue warnings so that people can either fix the > plugin or uninstall it when you receive information about it. > > I managed to patch my Twiki against the previous attack 5 hours before the > first hacker passed by. > I was less lucky with my AWStats in January which was hacked 4 times before > I discovered it. It turned my server into a distribution centre of misc avi > files. It was not until my index page was defaced 7 days after the first > attack that I discovered what was going on. > > Security issues are not a theoretical possibility. It is reality. And I am > shocked to see an email like the one above stating that you have done > nothing to warn me and other TWiki installation maintainers since November > 27th last year even though we have joined the relevant mailing lists. > > To Florian. Thanks for the warning and patch. You should perhaps describe > to the less trained in patching how to apply the patch. By experiment I > found that this worked. > > - copy patch file to the root twiki folder. > - run: patch -p0 < twiki-robustness-r3342.diff > > On my Cairo, which has been hand patched with a few bugfixes since, the > patch ran without errors. Only a few minor offset warnings. > > Kenneth > > -- > Kenneth Lavrsen, > Glostrup, Denmark > ke...@la... > Home Page - http://www.lavrsen.dk > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > TWiki-Dev mailing list > TWi...@li... > https://lists.sourceforge.net/lists/listinfo/twiki-dev -- * Peter Thoeny Peter@Thoeny.com * Is your team already TWiki enabled? http://TWiki.org * This e-mail is: (_) public (x) ask first (_) private |