search

MoriTanosuke / dokuwiki-docker

minimal installation of DokuWiki based on Alpine Linux
4 stars 4 forks source link

Risky data exposed to public access #2

Open conf-test opened 3 years ago

conf-test commented 3 years ago

Hi,

I'm a security researcher. Thank you for providing this useful docker image! After I set it up, I found your docker image disclose some sensitive directories and files to public: inc/ bin/ vendor/.htaccess.dist /bin/.htaccess /inc/.htaccess /vendor/.htaccess

To make things worse, TRACE, PUT and DELETE http method on these files are open to outside, which means they can be arbitrarily changed by outside attackers if they want.

All these files should not be expose as warned in https://www.dokuwiki.org/security. The bin/ direcotry contains executables that may be exploited by attackers if they get its contents. Specially, the .htaccess files can be used in web-based exploitation, as mentioned in https://www.acunetix.com/vulnerabilities/web/htaccess-file-readable/. They use this file to hide malware, to redirect search engines to their own sites, and for many other purposes (hide backdoors, inject content, to modify the php.ini values, etc).

Would it be better to block these access in your docker image? Thanks!

Best, -ct

MoriTanosuke commented 3 years ago

Interesting, thanks for your report. I followed the description of https://www.dokuwiki.org/security#move_directories_out_of_docroot but I didn't bother to remove the bin directory, for example. Can you point me to the documentation what I might have missed?

I also wasn't able to PUT or DELETE anything via HTTP. Do you have an example curl command which you used to modify one of the mentioned files?

conf-test commented 3 years ago

I see I see. I think you are right. You've moved data and conf out of the docroot. And what's current accessible through /data/* and /conf/* is dokuwiki's default data. I'm not sure if they are going to leak any version info or not. But you can decide whether to remove them or not.

Another thing is I think the doc doesn't show how to move vendor directory. You may find the same doc earlier section shows that vendor may leak info about your environment, so it is recommended to block it. Another related issue is that .htaccess files are accessible. This may not be a big issue as it is for Apache web server and you are not using it. But there is some concern to show these environment-related files.

For PUT and DELETE, you are correct. They are not enabled yet and they need some scripts to be able to work. But I guess these methods have some risks under certain conditions, so it is better to disable them if you don't need them. I also found another risky method TRACE is enabled and you may want to be aware of. Here is some material to TRACE.

Best ~ct