• PublicMoinMoinIsNotGoodPost

Why a public python-moinmoin Wiki is not so good idea?

Hallo out there! in this issue I'm going to discuss why setting up a internet facing wiki based on MoinMoin isn't a great idea in terms of security. I'm referring in this issue about the specific wiki that you can deploy from aptitude in a stable debian version by means of this command:

apt-get install python-moinmoin

Thus the version in which I disvered the facts (hacks) is python-moinmoin_1.5.3-1.2

Wait a moment dude isn't this a MoinMoin wiki?? yes but don't tell anyone =)..anyway I am also providing some counter-hacks tips which maybe are not enough =( ...I like risks

The hacks

Here you can find some dirty stuff I have come up you can do agains a freshly installed python-MoinMoin wiki:

• After a normal install install with apt the default behaviour is allowing the creation of new users. So if you thought that an ACL restricting non authenticated users the edition of pages that is not enought.
• The great wiki will answer to the user whether a user or password is wrong or not

• There is one functionality available by default that allows the user to render a page as an XML document (DocBook) which fails if you didn't install py-XML module (which is not installed as a python-moinmoin dependency). The debug information of this failure contains information like this

    * Date: Mon, 15 Dec 2008 22:36:58 +0000
    * Platform: Linux gnomo 2.6.18-6-xen-686 #1 SMP Thu May 8 11:28:36 UTC 2008 i686
    * Python: Python 2.4.1 (/usr/bin/python)
    * MoinMoin: Release 1.8.0 (release)

you can access this failing facility by seleccing the "render as docbook" action or directly quering:

http://<www.site.com>/HelpContents?action=format&mimetype=xml/docbook

• Some other residual help stuff installed by default can lead to internal information disclosure like the SystemInformation page

The counter hacks

Now I tell you some advices so that your wiki is a bit more secure...remember there is never 100% security as it finally depends on the human being

• Disable the creation of additional users: the trip that worked for me is the inception of a new custom module that gets called when the action of creating a user is invoked. Therefore you will edit a new file <path_to_your_wiki>/data/plugin/action/userform.py

from MoinMoin.Page import Page
from MoinMoin import wikiaction

def execute(pagename, request):
        if 'create' in request.form:
                return Page(request, pagename).send_page(request, msg="Creating user accounts disabled.")

        wikiaction.do_userform(pagename, request)

Edit this file after creating your desired users!!

• Remove the "help" and informational residual content that is stored udner /path_to_your_wiki/underlay/pages :

  • SystemInfo

  • helpon*blablablah

  • DesktopEdition

  • WikiCourse

• Disable some actions that can lead to information disclosure or resources consumtion by crafting this array in you /etc/moin/yourwiki.py file:

actions_excluded=['newaccount','RenderAsDocbook','SpellCheck','PackagePages']

Apart from this the "RenderAsDocbook" action will be still enable when accessing the url directly so you will have to fine tune at Apache configuration with something like this:

<Location /esliwiki/HelpContents>
    order allow,deny
    deny from all
</Location>

Then all the users trying to reach that page and all that are supposed to be Help related will receive a 404 Forbidden page .

Adding ClustrMaps to your page footer (python-moinmoin 1.5 versions)

This is not hardening related but I will place it here. My MoinMoin wiki didn't care about me using the page_footer2 tag in the main configuration file (this should be farmconfig in etc file or you own MoinMoin config file). Thus I did this tweak wich is locating where credits are (/var/lib/python-support/python2.5/MoinMoin/multiconfig.py) and fixing the thing like this if you want the map to appear before the credits information:

page_credits = [
        '<div align="center"><a href="http://www2.clustrmaps.com/counter/maps.php?url=http://eslimasec.com" id="clustrMapsLink"><img src="http://www2.clustrmaps.com/counter/index2.php?url=http://eslimasec.com" style="border:0px;" alt="Locations of visitors to this page" title="Locations of visitors to this page" id="clustrMapsImg" onerror="this.onerror=null; this.src=\'http://clustrmaps.com/images/clustrmaps-back-soon.jpg\'; document.getElementById(\'clustrMapsLink\').href=\'http://clustrmaps.com\';" /></a></div><br>',
        '<a href="http://moinmoin.wikiwikiweb.de/">MoinMoin Powered</a>',
        '<a href="http://www.python.org/">Python Powered</a>',
        '<a href="http://validator.w3.org/check?uri=referer">Valid HTML 4.01</a>',
        ]

Adding ClustrMaps to your page footer (python-moinmoin 1.7 versions)

This is easier as you can use page_footer2 tag in your main standalone or farm wiki config file like this:

page_footer2 = '<div align="center"><a href="http://www2.clustrmaps.com/counter/maps.php?url=http://eslimasec.com" id="clustrMapsLink"><img src="http://www2.clustrmaps.com/counter/index2.php?url=http://eslimasec.com" style="border:0px;" alt="Locations of visitors to this page" title="Locations of visitors to this page" id="clustrMapsImg" onerror="this.onerror=null; this.src=\'http://clustrmaps.com/images/clustrmaps-back-soon.jpg\'; document.getElementById(\'clustrMapsLink\').href=\'http://clustrmaps.com\';" /></a></div><br>'