From 9a275b2f1846d7268c71a740975447e269383849 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Sun, 10 Feb 2019 16:56:41 +0000 Subject: [PATCH] doc: Document security issues involving LWP::UserAgent Recommend the LWPx::ParanoidAgent module where appropriate. It is particularly important for openid, since unauthenticated users can control which URLs that plugin will contact. Conversely, it is non-critical for blogspam, since the URL to be contacted is under the wiki administrator's control. Signed-off-by: Simon McVittie --- doc/plugins/aggregate.mdwn | 4 +++ doc/plugins/blogspam.mdwn | 2 ++ doc/plugins/openid.mdwn | 7 ++++-- doc/plugins/pinger.mdwn | 8 +++--- doc/security.mdwn | 49 +++++++++++++++++++++++++++++++++++++ doc/tips/using_a_proxy.mdwn | 22 +++++++++++++++++ 6 files changed, 87 insertions(+), 5 deletions(-) create mode 100644 doc/tips/using_a_proxy.mdwn diff --git a/doc/plugins/aggregate.mdwn b/doc/plugins/aggregate.mdwn index 75123d923..b1db828d1 100644 --- a/doc/plugins/aggregate.mdwn +++ b/doc/plugins/aggregate.mdwn @@ -11,6 +11,10 @@ The [[meta]] and [[tag]] plugins are also recommended to be used with this one. Either the [[htmltidy]] or [[htmlbalance]] plugin is suggested, since feeds can easily contain html problems, some of which these plugins can fix. +Installing the [[!cpan LWPx::ParanoidAgent]] Perl module is strongly +recommended. The [[!cpan LWP]] module can also be used, but is susceptible +to server-side request forgery. + ## triggering aggregation You will need to run ikiwiki periodically from a cron job, passing it the diff --git a/doc/plugins/blogspam.mdwn b/doc/plugins/blogspam.mdwn index 745fc48e2..0ebae7d84 100644 --- a/doc/plugins/blogspam.mdwn +++ b/doc/plugins/blogspam.mdwn @@ -11,6 +11,8 @@ To check for and moderate comments, log in to the wiki as an admin, go to your Preferences page, and click the "Comment Moderation" button. The plugin requires the [[!cpan JSON]] perl module. +The [[!cpan LWPx::ParanoidAgent]] Perl module is recommended, +although this plugin can also fall back to [[!cpan LWP]]. You can control how content is tested via the `blogspam_options` setting. The list of options is [here](http://blogspam.net/api/2.0/testComment.html#options). diff --git a/doc/plugins/openid.mdwn b/doc/plugins/openid.mdwn index 4c8e0d381..a061cb43f 100644 --- a/doc/plugins/openid.mdwn +++ b/doc/plugins/openid.mdwn @@ -7,8 +7,11 @@ into the wiki. The plugin needs the [[!cpan Net::OpenID::Consumer]] perl module. Version 1.x is needed in order for OpenID v2 to work. -The [[!cpan LWPx::ParanoidAgent]] perl module is used if available, for -added security. Finally, the [[!cpan Crypt::SSLeay]] perl module is needed +The [[!cpan LWPx::ParanoidAgent]] Perl module is strongly recommended. +The [[!cpan LWP]] module can also be used, but is susceptible to +server-side request forgery. + +The [[!cpan Crypt::SSLeay]] Perl module is needed to support users entering "https" OpenID urls. This plugin is enabled by default, but can be turned off if you want to diff --git a/doc/plugins/pinger.mdwn b/doc/plugins/pinger.mdwn index 00d83e1bb..f37979ac6 100644 --- a/doc/plugins/pinger.mdwn +++ b/doc/plugins/pinger.mdwn @@ -10,9 +10,11 @@ can be kept up-to-date. To configure what URLs to ping, use the [[ikiwiki/directive/ping]] [[ikiwiki/directive]]. -The [[!cpan LWP]] perl module is used for pinging. Or the [[!cpan -LWPx::ParanoidAgent]] perl module is used if available, for added security. -Finally, the [[!cpan Crypt::SSLeay]] perl module is needed to support pinging +The [[!cpan LWPx::ParanoidAgent]] Perl module is strongly recommended. +The [[!cpan LWP]] module can also be used, but is susceptible +to server-side request forgery. + +The [[!cpan Crypt::SSLeay]] perl module is needed to support pinging "https" urls. By default the pinger will try to ping a site for 15 seconds before timing diff --git a/doc/security.mdwn b/doc/security.mdwn index e7770dd27..378a2e4bc 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -611,3 +611,52 @@ This was fixed in ikiwiki 3.20170111, with fixes backported to Debian 8 in version 3.20141016.4. ([[!debcve CVE-2017-0356]]/OVE-20170111-0001) + +## Server-side request forgery via aggregate plugin + +The ikiwiki maintainers discovered that the [[plugins/aggregate]] plugin +did not use [[!cpan LWPx::ParanoidAgent]]. On sites where the +aggregate plugin is enabled, authorized wiki editors could tell ikiwiki +to fetch potentially undesired URIs even if LWPx::ParanoidAgent was +installed: + +* local files via `file:` URIs +* other URI schemes that might be misused by attackers, such as `gopher:` +* hosts that resolve to loopback IP addresses (127.x.x.x) +* hosts that resolve to RFC 1918 IP addresses (192.168.x.x etc.) + +This could be used by an attacker to publish information that should not have +been accessible, cause denial of service by requesting "tarpit" URIs that are +slow to respond, or cause undesired side-effects if local web servers implement +["unsafe"](https://tools.ietf.org/html/rfc7231#section-4.2.1) GET requests. +([[!debcve CVE-2019-9187]]) + +Additionally, if the LWPx::ParanoidAgent module was not installed, the +[[plugins/blogspam]], [[plugins/openid]] and [[plugins/pinger]] plugins +would fall back to [[!cpan LWP]], which is susceptible to similar attacks. +This is unlikely to be a practical problem for the blogspam plugin because +the URL it requests is under the control of the wiki administrator, but +the openid plugin can request URLs controlled by unauthenticated remote +users, and the pinger plugin can request URLs controlled by authorized +wiki editors. + +This is addressed in ikiwiki 3.20190228 as follows, with the same fixes +backported to Debian 9 in version 3.20170111.1: + +* URI schemes other than `http:` and `https:` are not accepted, preventing + access to `file:`, `gopher:`, etc. + +* If a proxy is [[configured in the ikiwiki setup file|tips/using_a_proxy]], + it is used for all outgoing `http:` and `https:` requests. In this case + the proxy is responsible for blocking any requests that are undesired, + including loopback or RFC 1918 addresses. + +* If a proxy is not configured, and LWPx::ParanoidAgent is installed, + it will be used. This prevents loopback and RFC 1918 IP addresses, and + sets a timeout to avoid denial of service via "tarpit" URIs. + +* Otherwise, the ordinary LWP user-agent will be used. This allows requests + to loopback and RFC 1918 IP addresses, and has less robust timeout + behaviour. We are not treating this as a vulnerability: if this + behaviour is not acceptable for your site, please make sure to install + LWPx::ParanoidAgent or disable the affected plugins. diff --git a/doc/tips/using_a_proxy.mdwn b/doc/tips/using_a_proxy.mdwn new file mode 100644 index 000000000..39df3c42a --- /dev/null +++ b/doc/tips/using_a_proxy.mdwn @@ -0,0 +1,22 @@ +Some ikiwiki plugins make outgoing HTTP requests from the web server: + +* [[plugins/aggregate]] (to download Atom and RSS feeds) +* [[plugins/blogspam]] (to check whether a comment or edit is spam) +* [[plugins/openid]] (to authenticate users) +* [[plugins/pinger]] (to ping other ikiwiki installations) + +If your ikiwiki installation cannot contact the Internet without going +through a proxy, you can configure this in the [[setup file|setup]] by +setting environment variables: + + ENV: + http_proxy: "http://proxy.example.com:8080" + https_proxy: "http://proxy.example.com:8080" + # optional + no_proxy: ".example.com,www.example.org" + +Note that some plugins will use the configured proxy for all destinations, +even if they are listed in `no_proxy`. + +To avoid server-side request forgery attacks, ensure that your proxy does +not allow requests to addresses that are considered to be internal.