wiki:TracSecurityOverview

Version 2 (modified by zooko, at 2010-01-09T16:58:41Z) (diff)

link to the twitter incident

Trac Security Overview

This is just a quick'n'dirty document to help users make informed decisions about the Trac.

Recommendations

  • Don't use a password which you use elsewhere. (See: Twitter incident) (the short story is that there were no technical security flaws, but users used the same creds on an "unimportant" service as well as a different critical service, so the attacker could escalate the attack across services.)
  • Don't expect the ticket database to be non-corrupt or reliable or persistent.
    • Backup the ticket database and wiki pages regularly! Use snapshots so corruption does not overwrite correct data.

Vulnerabilities

  • HTTP without SSL means a passive attacker can see all your traffic (except password on login, see below).
  • HTTP without SSL means an active attacker can do anything at all with your account privileges.
  • Password reset over HTTP means the attacker knows your password with minimal effort.
  • HTTP Auth uses Digest mechanism, which means (if implemented correctly):
    • Attacker cannot learn your password during a login request.
    • The database must store your plaintext password (in order to compute the correct digest). [FIXME: verify.]
      • Anyone with file system read access to the machine also has all passwords.

To Do

  • Search for existing Trac security references.
  • Verify that plaintext passwords are stored.