Page:
TracSecurityOverview
Pages
AboutUs
Accounting
AccountingDesign
AdvancedInstall
AllmydataDotComPage
ArchLinuxArmInstallation
BBFreeze
BadContent
Bibliography
BitCoinPage
BuildSystemTheory
BuildbotPolicy
Capabilities
CodingStandards
CompileError
ComponentDefinitions
Convergence Secret
DelegationOperations
Dev
DevInfra
DirectoryNode
Doc
DownloadDebianPackages
Extensions
FAQ
FileId
FileTree
GSoCIdeas
GSoCIdeas2009
GSoCIdeas2010
GridBackup
GridManager
Grids
Home
HowToReportABug
HowToWriteTests
HowtoBuildPyCryptoOnWindows
HowtoContributeABuildbot
InstallDetails
Installation
JavaScript
Keywords
KnownIssues
LocalGrid
Manual
MeetingNotes_2012_10_23
MemoryFootprint
MoveOffTrac
Munin_Stats Gatherer_Readme
Munin_local_plugins_README
NewAccountingDesign
NewCapDesign
NewImmutableEncodingDesign
NewMutableEncodingDesign
NewbieDeveloperSetup
News
OSPackages
OldNews
OneHundredYearCryptography
OriginalWikiStart
Ostrom
Packaging
PatchReviewProcess
Patches
PeerSelection
Performance
PkgSrc
Proposed
Python3
QuotaManagement
RelatedProjects
RequestedEdits
ResearchVenues
SNARKs
Security
ServerSelection
SftpFrontend
SpamPolicy
StorageIndex
Summit
Summit1
Summit2011
Summit2016
Summit2Day1
Summit2Day2
Summit2Day3
Summit2Day4
TaggedHash
TahoeLAFSMobile
TahoeLAFSWeeklyNews
TahoeThree
TahoeTwo
TahoeVsDebianBuggyOpenSsl
TestGrid
TipsTricks
TracSecurityOverview
TracStartingPoints
TracWikiMacros
Tutorial
UbuntuPackaging
UseCases
VerifierId
VersionNumbers
Versioning
ViewTickets
ViewTickets2
VolunteerGrid
WeeklyMeeting
WindowsBuild
apparmor
pyFilesystem
test
2
TracSecurityOverview
zooko edited this page 2010-01-09 16:58:41 +00:00
Table of Contents
Trac Security Overview
This is just a quick'n'dirty document to help users make informed decisions about the Trac.
Recommendations
- Don't use a password which you use elsewhere. (See: Twitter incident) (the short story is that there were no technical security flaws, but users used the same creds on an "unimportant" service as well as a different critical service, so the attacker could escalate the attack across services.)
- Don't expect the ticket database to be non-corrupt or reliable or persistent.
- Backup the ticket database and wiki pages regularly! Use snapshots so corruption does not overwrite correct data.
Vulnerabilities
- HTTP without SSL means a passive attacker can see all your traffic (except password on login, see below).
- HTTP without SSL means an active attacker can do anything at all with your account privileges.
- Password reset over HTTP means the attacker knows your password with minimal effort.
- HTTP Auth uses Digest mechanism, which means (if implemented correctly):
- Attacker cannot learn your password during a login request.
- The database must store your plaintext password (in order to compute the correct digest). [verify.]FIXME:
- Anyone with file system read access to the machine also has all passwords.
To Do
- Search for existing Trac security references.
- Verify that plaintext passwords are stored.