Date: Sun, 14 Nov 2004 17:11:30 -0800 From: Peter Thoeny To: Hans Ulrich Niedermann Cc: Roman Medina-Heigl Hernandez , public@*.de Subject: Re: Lame TWiki advisory All: I am not participating in flame wars. I am just pointing out the facts. I do not care who discovered it first, my highest priority is that public TWikis are safe and secured before crackers can take advantage of vulnerabilities. 1. At TWiki.org we have a process defined of how to handle security issues. It is clearly marked in the BugReport page, http://TWiki.org/cgi-bin/view/Codev/BugReport : "Important: In case you think that you discovered a security issue that could potentially compromise public TWiki installations, please contact one of the CoreTeam members by e-mail. We will follow up in a timely manner with a fix and will inform administrators before the issue gets public." 2. Roman contacted me on Thursday that he discovered a vulnerability and that he wants to prepare a security advisory. I replied on the same day with recommended actions based on our process. 3. Friday morning: Andreas Thienemann, Benjamin Schweizer inform me on of the vulnerability. At that time we did not know what caused it. Andreas and I exchanged some e-mail to narrow down the issue. Andreas forwarded me the log entries of a hacked server. Based on this I could verify and identify the vulnerability. 4. I create a quick fix, fixed TWiki.org, created a quick advisory and informed the TWiki community via twiki-dev mailing list. I also sent the quick fix to Andreas and Benjamin. Then I went to work. 6. While I was at work, without access to home e-mail: - Roman sent an e-mail with a search example demonstrating the vulnerability. - Hans Ulrich sent me two drafts of an advisory. 5. Friday afternoon: I returned home early because of the issue and read the e-mails. I made a more robust fix, compiled the e-mail addresses of several hundred TWiki admins and sent out the advisory based on Hans Ulrich's version, with some mods. 6. I forwarded the revised advisory to Hans Ulrich, but he already released it to the public. Overall the issue got handled in a timely manner once I got to know about the vulnarability. However these things did not work well: - I did not get Hans Ulrich and Roman in touch quickly enough on Friday. - The advisory went out uncoordinated, bypassing a grace period for TWiki admins to fix the hole. (I know that the vulnerability was already known by hackers, but only by a few. Once an advisory is made available publicly the whole world knows). _This is not in line with our published process and possibly compromises other public TWiki sites._ - The vulnerability was known to Roman for 2 month, but he did not inform the TWiki developers. _Damage on two sites could have been prevented._ Regards, Peter