01425: Improve the OOTB security of PmWiki

Summary: Improve the OOTB security of PmWiki
Created: 2017-11-07 21:46
Status: Open
Category: Security
From: Simon
Priority: 5
Version: latest
OS: n/a
see https://observatory.mozilla.org/analyze.html?host=pmwiki.org

Observatory by Mozilla has helped over 80,000 websites by teaching developers, system administrators, and security professionals how configure their sites safely and securely.

PmWiki currently achieves an F rating (3/11 2018-06-14). Therefore PmWiki based websites are also likely to achieve an F rating.

Simon November 07, 2017, at 09:47 PM

This is related to 01389 (Improve PmWiki Security through Content Security Policy support and removing inline javascript and style), see my comments there.

All these are possible today with the core PmWiki, except the "Secure/HTTPOnly" cookie flags, and I'll add those for 2.2.106. Obviously, this requires the website to be on a HTTPS protocol only otherwise you get an automatic F.

This can be added to config.php to pass most Mozilla tests (except the secure cookie and the CSP) and move instantly from F to B:

  if($UrlScheme != 'https' &&  ! preg_match('! MSIE [1-8]\\.!', $_SERVER['HTTP_USER_AGENT'])) {
    $url = "https://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}";
    Redirect($pagename, $url);
  # $HTTPHeaders[] = "Strict-Transport-Security: max-age=15768000"; # see note
  $HTTPHeaders[] = "Content-Security-Policy: default-src https:";
  $HTTPHeaders[] = "Referrer-Policy: strict-origin-when-cross-origin";
  $HTTPHeaders[] = "X-Content-Type-Options: nosniff";
  $HTTPHeaders[] = "Content-Security-Policy: frame-ancestors 'self'";
  $HTTPHeaders[] = "X-Frame-Options: SAMEORIGIN";
  $HTTPHeaders[] = "X-XSS-Protection: 1; mode=block";

(Strict-Transport-Security: do not add this even for testing it if you have not enabled HTTPS and guaranteed it for at least 6 months in the future: with this the browsers will refuse to connect to the HTTP site at all for 6 months.)

The features that you will probably miss the most are the ones that will be dropped by CSP (no WikiStyles, no style="" attribute for divs/tables, no translated/i18n JavaScript addons, no modules like Flash/Java/Silverlight), and many existing JavaScript-inside-PHP addons will have to be rewritten (ddmu, deobmail, toggle, untoggle, *toc, worse...) and some popular skins.

You can read the documentation on the page you linked to see how to change the CSP header to something stricter, and get 2.2.106 for the secure cookies.

Note that this only configures PmWiki headers, not the whole server (PmWiki has no vocation to do the latter) so if the server does serve the HTTP protocol for static or other non-pmwiki files, the above code will not make the server more secure (but a PmWiki URL will pass the tests).

Also note that all the above can, and probably should, be configured on the server, not inside PmWiki. Configuring only PmWiki may create a false sense of security. Consult your server/hosting documentation about how to do this.

About PmWiki.org (domain, hosting, Apache server), it is owned and managed by Pm (I manage the wiki): I've been asking him for months to get a HTTPS certificate but he's been too busy (and a whole server upgrade/migration is reportedly due first). --Petko November 08, 2017, at 07:57 AM

There are actually programmable ways to disable inline JS & CSS - rewrite all recipes that allow configuration/i18n to load their content via a pmwiki action, eg ?action=deobmail.js. This will be slower as every page will have to be loaded multiple times but it is not impossible. Another way (for JavaScript, not CSS) is to pass the configuration inside data attributes. It may also be possible to inject custom CSS via JavaScript. All this requires planning, coordination and work, but if there is strong interest and will, I can make the time to work on this. --Petko November 08, 2017, at 08:52 AM