Differences

This shows you the differences between two versions of the page.

--- security [2017-07-08 02:01] – [Web Access Security] 5.172.255.213
+++ security [2024-02-13 09:17] (current) – undo 178.197.202.230
@@ Line 11: / Line 11: @@
 When you discover a security issue in DokuWiki, please notify us. The preferred ways to do so are:
+  * Report through [[https://www.huntr.dev/repos/splitbrain/dokuwiki|huntr.dev]]
   * Submit a [[bugs|bug report]]
   * Send a mail to the [[mailinglist]]
@@ Line 17: / Line 18: @@
 The first two ways should be preferred except for very serious bugs where making the bug public before a patch is available could endanger DokuWiki installations world wide.
-All previous security issues can be seen in the [[http://bugs.dokuwiki.org/index.php?tasks=all&project=1&type=1&cat=5&status=all&perpage=20|bugtracking system]].
+Previous security issues can be seen in the [[https://github.com/dokuwiki/dokuwiki/issues?q=label%3ASecurity+|bugtracking system]].
 Depending on the severity of a found security issue it will be fixed in a future release (on very minor issues) or a bugfix release will be made. In the latter case users will be informed through the [[update check]] mechanism.
@@ Line 35: / Line 36: @@
   * ''bin''
   * ''inc'' (isn't dangerous when accessible, though)
+  * ''vendor'' (leaks info about your environment)
-To check if you need to adjust the access permissions try to access ''%%http://yourserver.com/data/pages/wiki/dokuwiki.txt%%''. You should not get access to that file this way.
+To check if you need to adjust the access permissions try to access ''%%http://yourserver.com/data/pages/wiki/dokuwiki.txt%%''. You should not get access to that file this way. The [[admin_window|Admin Interface]] will also check this for you and display a warning, if something is wrong.
-(More about permissions - [[install:permissions|install:permissions]] - but it does not deal with the lack of detailed information about Dokuwiki's directory permissions. I mean about a short form of presentation, e.g. "Above four directories -// /data, /conf, /bin, /inc //- need to have 0700 permissions" etc.)
+Please note that this has nothing to do with [[install:permissions|file permissions]]. Web access is a configuration specific to your webserver.
 If your directories are not properly secured, read the following subsections on how to do that.
 ==== Deny Directory Access in Apache ====
@@ Line 46: / Line 49: @@
 The simplest way is to enable ''.htaccess'' support in your Apache configuration. Please see the [[http://httpd.apache.org/docs/2.2/howto/htaccess.html|Apache .htaccess Tutorial]].
-DokuWiki already comes with correctly configured .htaccess files. The contents of a .htaccess file to block all access to the directory it is in should be as follows (valid for both Apache 2.2 and 2.4):
+DokuWiki already comes with correctly configured ''.htaccess'' files. The contents of a ''.htaccess'' file to block all access to the directory it is in should be as follows (valid for both Apache 2.2 and 2.4):
 <code>
@@ Line 58: / Line 61: @@
 </code>
-**Remark** : Using apache2 on Ubuntu, the .htaccess does not work until you activate the 'mod_rewrite' in apache2 (sudo a2enmod rewrite && sudo service apache2 restart)
+Please note that many distributions have .htaccess support disabled by default. To enable it you need to set the [[https://httpd.apache.org/docs/current/mod/core.html#allowoverride|AllowOverride]] directive from ''None'' to ''All'' for the directory your wiki is installed in.
-It seems that Apache2 in general, or it might be specifically to Ubuntu, is configured slightly differently than Apache1.x.
-In the ///etc/apache2/sites-available// (or you need to modify the file //default//, e.g. //000-default.conf//) (or the file //default-ssl// if you use https rather than http)
-There you'll find:
-<code>
-NameVirtualHost *
-<VirtualHost *>
-        ServerAdmin admin@site.com
-        DocumentRoot /var/www/
-        <Directory />
-                Options FollowSymLinks
-                AllowOverride None
-        </Directory>
-        <Directory /var/www/>
-                Options Indexes FollowSymLinks MultiViews
-                AllowOverride none
-                Order allow,deny
-                allow from all
-        </Directory>
-</code>
-Default for AllowOverride in the <nowiki><Directory /var/www/></nowiki> is (double) **none**, should be (double) **all**
-///etc/init.d/apache2 reload// to refresh your apache configuration and your .htaccess files should now work.
-:!:///etc/init.d/apache2 reload// may not work. You can try ''sudo service apache2 restart'' instead.
-(See http://ubuntuforums.org/showthread.php?t=47669 for the full thread)
-[you can make this change also for the particular directory containing your DokuWiki installation, ie. ''/var/www/path-to-dokuwiki'' instead of changing that globally]
+Check this [[https://help.ubuntu.com/community/EnablingUseOfApacheHtaccessFiles|detailled tutorial for Ubuntu]]. Configuration for Apache on other distributions is very similar.
-----
+Alternatively you can use the [[https://httpd.apache.org/docs/current/mod/core.html#locationmatch|LocationMatch]] directive to prevent access to the mentioned directories without enabling .htaccess support. This has better performance, but you may need to update the directive in the future when new directories are added in DokuWiki. An example may look like this:
-The other way is to use ''LocationMatch'' directive inside ''VirtualHost'' definition - it's a little bit more efficient than ''.htaccess''. Just below ''Directory'' directive add:
 <code>
-<LocationMatch "/(data|conf|bin|inc)/">
+<LocationMatch "/(data|conf|bin|inc|vendor)/">
     Order allow,deny
     Deny from all
@@ Line 104: / Line 75: @@
 </code>
-//However see the "What to use When" section here [[http://httpd.apache.org/docs/2.4/sections.html#file-and-web]] for a statement that "Location" directives should not be used for protecting filesystem objects, only virtual (e.g. database-generated) paths. IMO if .htaccess isn't available or sufficient, then putting directory-specific restrictions directly in the hosts conf file would be the safest approach. This [[http://ada.adrianlang.de/dokuwiki-php-execution#solutions_in_the_configuration]] seems a solid approach - but this document should be "canonical".//
-----
-The above could cause a problem if you have another "root" that includes the directories data|conf|bin|inc. For example another wiki installation.
-You can avoid this problem by extending your LocationMatch within your wiki installation folder.
-<code>
-        <Directory /var/www/dokuwiki>
-            order deny,allow
-            allow from all
-        </Directory>
-        <LocationMatch "/(data|conf|bin|inc)/">
-            order allow,deny
-            deny from all
-            satisfy all
-        </LocationMatch>
-</code>
 ==== Deny Directory Access in IIS ====
@@ Line 134: / Line 87: @@
   - click on "Deny Sequence..."
   - enter "/data/" in the popup box and click "OK"
-  - Repeat the "Deny Sequence..." instruction for the /conf/ /bin/ and /inc/ directories
+  - Repeat the "Deny Sequence..." instruction for the /conf/ /bin/ /inc/ and /vendor/ directories
@@ Line 170: / Line 123: @@
                     <add sequence="/bin/" />
                     <add sequence="/inc/" />
+                    <add sequence="/vendor/" />
                 </denyUrlSequences>
             </requestFiltering>
@@ Line 186: / Line 140: @@
   * ''bin''
   * ''inc'' (isn't dangerous when accessible, though)
+  * ''vendor''
 <file xml web.config>
@@ Line 205: / Line 160: @@
   - Right-Click the folder and chose Properties -> Directory Security -> IP address and domain name restrictions -> Edit...
   - Choose "By default, all computers will be: Denied access"
-  - Repeat this for /data/ /conf/ /bin/ and /inc/ directories
+  - Repeat this for /data/ /conf/ /bin/ /inc/ and /vendor/ directories
 ==== Deny Directory Access in Lighttpd ====
-Using a [[http://redmine.lighttpd.net/wiki/lighttpd/Docs:ModRewrite|URL re-write]] you can deny access to the above directories. In your lighttpd.conf file adding the following URL rewrite rule should be sufficient to keep people out((Unfortunately it does not not when people are using [[https://vivaldi.com/|Vivaldi]] and probably other chromium based browsers. When combined with "mod_access" it does keep people out.)) . It suppose your Dokuwiki files are installed under http://yourwebsite.tld/dokuwiki/. Don't forget to uncomment ''//"mod_rewrite"//'' in the ''//server.modules//'' section.
+Using a [[https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModRewrite||URL re-write]] you can deny access to the above directories. In your /etc/lighttpd/lighttpd.conf file adding the following URL rewrite rule should be sufficient to keep people out. It supposes your Dokuwiki files are installed under http://yourwebsite.tld/dokuwiki/.
+  url.rewrite-once = ( "^/dokuwiki/(data|conf|bin|inc|vendor)/+." => "/nonexistentfolder" )
+Don't forget to uncomment or add “mod_rewrite” in the server.modules section of /etc/lighttpd/lighttpd.conf. It should look like this:
+  server.modules += (
+    "mod_compress",
+    "mod_dirlisting",
+    "mod_staticfile",
+    "mod_rewrite",
+  )
+Unfortunately it does not keep people out who are using Vivaldi and probably other Chromium based browsers. When combined with “[[https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModAccess|mod_access]]” it does keep people out. More mod_access examples are available [[https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModAccess|here]].\\
+In /etc/lighttpd/lighttpd.conf "mod_access" should be in the "server.modules = (" section. Also add
 <code>
-url.rewrite-once = ( "^/dokuwiki/(data|conf|bin|inc)/+.*" => "/nonexistentfolder" )
+$HTTP["url"] =~ "^/dokuwiki/(data|conf|bin|inc|vendor)/+." {
-</code>
+url.access-deny = ("")
-Or use ''//"mod_access"//''. More examples available [[http://redmine.lighttpd.net/wiki/lighttpd/Docs:ModAccess|here]].
-<code>
-$HTTP["url"] =~ "^/dokuwiki/(data|conf|bin|inc)/+.*" {
-    url.access-deny = ("")
 }
 </code>
+to /etc/lighttpd/lighttpd.conf.\\
+\\
+Restart lighttpd with systemctl reload-or-restart lighttpd and check the status with systemctl status lighttpd
 ==== Deny Directory Access in Nginx ====
 Access to aforementioned directories can be disabled in DokuWiki server section of Nginx configuration file.
-In your nginx.conf file add the following location to prevent access to secure directories.
+In your host configuration file (for example, /etc/nginx/sites-available/default) or nginx.conf file add the following location to prevent access to secure directories.
-//This instruction is slightly misleading. What you should actually edit is the /etc/nginx/sites-available/default file. Remember to first create a backup by issuing cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.bak//
+:!: Make sure that the rule is processed before other rules that control access to certain files.((See this [[https://forum.dokuwiki.org/d/21122-security-warning-persists/9|forum thread]] and [[https://stackoverflow.com/questions/76369813/why-are-my-jpg-and-png-files-accessible-despite-nginx-access-restriction|stackoverflow]]))
-//Or in the virtualhost where you are hosting dokuwiki//
 <code>
-    location ~ /(data|conf|bin|inc)/ {
+    location ~ /(data|conf|bin|inc|vendor)/ {
       deny all;
     }
@@ Line 238: / Line 199: @@
 <code>
-    location ~ /(conf|bin|inc)/ {
+    location ~ /(conf|bin|inc|vendor)/ {
         deny all;
     }
@@ Line 253: / Line 214: @@
 then add a new "Regular Expression" rule and put the following in it (supposing that dokuwiki sits on the root directory):
 <code>
-   /(data|conf|bin|inc)/
+   /(data|conf|bin|inc|vendor)/
 </code>
 Remember to set it as "NON FINAL", because if not, some code under those directories may still being executed under certain circumstances ("Extensions php" rule as "NON FINAL" present, for example).
@@ Line 275: / Line 236: @@
 		/bin
 		/inc
+		/vendor
 	}
 }
 </code>
-==== Rename data Directory ====
-Securing the ''data'' directory is most important. If you cannot move directories out of the webserver (see below) or can't configure your webserver to deny access (see above), then you should at least make it harder to guess the name of your data directory.
-To do so, rename your data directory to something cryptic (eg. a long row of letters and numbers) and reconfigure your [[config:savedir]] option in your ''conf/local.php'' file.
 ==== Move Directories out of DocRoot ====
-The most secure way to avoid any access to  the mentioned directories is to move them outside the so called "Document Root" of your Webserver.
+The most secure way to avoid any access to  the mentioned directories is to move them outside the so called "Document Root" of your Webserver. This is usually not needed if you followed the guides above and requires a bit more understanding on how webserver and DokuWiki works. None-the-less it is the safest way to secure your DokuWiki install regardless of the used webserver.
 **__WARNING:__** If you are planning to use the [[installer]], you need to install your wiki executing the install.php script first before you can do this step. If the Move Directories operation is done before, the installer execution will fail.
@@ Line 304: / Line 259: @@
   - Move the ''conf'' directory (and all its contents) out of the document root
-  - Create a file named preload.php inside the ''inc'' directory and set the ''DOKU_CONF'' define to the new location of the ''conf'' directory.
+  - Create a file named ''preload.php'' inside the ''inc'' directory and set the ''DOKU_CONF'' define to the new location of the ''conf'' directory.
 For example, if the ''conf'' directory is moved to ''/home/yourname/conf'', create the following ''inc/preload.php'':
@@ Line 334: / Line 289: @@
   * [[config:fullpath]] -- showing full path names for pages
   * all [[auth|authentication settings]]
-  * [[config:usewordblock]] -- prevent spam through a blacklist
+  * [[config:usewordblock]] -- prevent spam through a blocklist
   * [[config:mailguard]] -- avoid mail address harvesting robots
   * [[config:iexssprotect]] -- protect against a XSS problem within Internet Explorer
@@ Line 352: / Line 307: @@
   * If you can, review the plugin source code yourself, //before// installing it.
   * If in doubt, ask on the [[mailinglist|mailing list]].
-  * Plugins are installed under the DokuWiki ''lib'' directory, which is directly accessible from the outside. Review what a plugin contains and lock down access with .htaccess files as appropriate.
+  * Plugins are installed under the DokuWiki ''lib'' directory, which is directly accessible from the outside. Review what a plugin contains and if access is appropriate, plugins shouldn't store sensitive info in their own directory.
   * Plugins are authored by developers not directly related to the DokuWiki project - they may be inexperienced, have malicious intent or may host the plugin source code on a server that has been compromised. Be careful whom you trust!
   * Review the plugin page for mentioned security warnings and upgrade the plugin when new releases become available.
+  * If in doubt, let plugins be reviewed by a professional first. See [[faq:support]].
 See also: [[devel:security#reporting_security_issues|How to report security issues in plugins]]
@@ Line 369: / Line 325: @@
   * [[install:php|PHP Configuration for DokuWiki]]
   * [[tips:clean_acl|Remove ACL rules for deleted pages]]
-  * {{http://www.apachesecurity.net/download/apachesecurity-ch03.pdf|Apache Security - Chapter 3: Locking down PHP}}.((No longer there; please try [[https://www.feistyduck.com/books/apache-security/]]))
+  * [[https://www.feistyduck.com/library/apache-security/|Apache Security]]
-  * [[http://www.bouthors.fr/wiki/doku.php?id=en:linux:dokuwiki:secu|How to completely hide unauthorized pages]]