[Silva-general] Silva Security Bulletin: Potential security issue with External Sources
eric casteleijn
eric at infrae.com
Tue Feb 5 15:34:00 CET 2008
We have had a security issue brought to our attention recently, that
potentially affects all versions of Silva using the External Sources
extension. This might prompt an update if you suspect your site is affected.
The issue:
----------
Silva indexes Silva Documents and other content to make it searchable.
To this end the full text of a Silva Document (version) is extracted and
stored in the catalog, so that searches on words occurring in the
document, will include the document in the results.
It appears that the fulltext extraction was a tad naive in that it just
takes the Silva XML and throws away all tags. This is problematic in the
case of Code Sources, the parameter values of which appear enclosed in
tags as such:
<source id="foo">
<parameter type="string" key="should_be_hidden_text">
verboten
</parameter>
</source>
and in this case a search on 'verboten' would return the the document
containing this Code Source.
There is probably no cause for panic, as for this to be truly
problematic you have to be using the External Sources extension and
sensitive data (such as passwords or email addresses) has to be stored
as parameter values, (i.e. authors would have to fill in that data when
editing a document containing the Code Source) *and* someone would have
to do a search for the value or a word in close proximity to the Code
Source parameter in either Silva Find or the old search.
Having said that, for those of you that might have sensitive data as
parameter values for Code Sources, it is important to update as soon as
possible.
The fix
-------
Deploy the relevant version of SilvaDocument to your site, and rebuild
the catalog (if you do not know how to do this, contact me, and include
your Silva version number.)
The fix is in SilvaDocument, and is contained in the following releases:
http://infrae.com/download/Silva/2.0.5/Silva-2.0.5-all.tgz
http://infrae.com/download/Silva/1.6.2/Silva-1.6.2.tgz
http://infrae.com/download/Silva/1.5.11/Silva-1.5.11-all.tgz
We sincerely apologize for the inconvenience this undoubtedly causes for
some of you,
-- eric casteleijn
http://www.infrae.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: not available
Url : http://lists.infrae.com/pipermail/silva-general/attachments/20080205/464032ed/attachment.pgp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.infrae.com/pipermail/silva-general/attachments/20080205/464032ed/attachment-0001.pgp
More information about the silva-general
mailing list