Wiki*Kei

Security Audit
Login
Home Timeline Files Branches Tags Forum Chat Tickets Wiki Admin Login

  1. This repository is Wildly INSECURE because it grants administrator privileges to anonymous users. You should take this repository private immediately! Or, at least remove the Setup and Admin privileges for users "anonymous" and "login" on the User Configuration page.

  2. This repository does not have a canonical access URL. There are 2 non-canonical URLs that have been used to access this repository.

  3. WARNING: Sensitive material such as login passwords can be sent over an unencrypted connection. Fix this by changing the "Redirect to HTTPS" setting on the Access Control page. If you were using the old "Redirect to HTTPS on Login Page" setting, switch to the new setting: it has a more secure implementation.

  4. This server is compiled with -DFOSSIL_ENABLE_TCL. Tcl integration is disabled for this particular repository, so you are safe for now. However, to prevent potential problems caused by accidentally enabling Tcl integration in the future, it is recommended that you recompile Fossil without the -DFOSSIL_ENABLE_TCL flag.

  5. WARNING: Anonymous users can view email addresses and other personally identifiable information on tickets. Fix this by removing the "Email" privilege (capability "e") from users "anonymous" and "nobody" on the User Configuration page.

  6. WARNING: Anonymous users can push new check-ins into the repository. Fix this by removing the "Check-in" privilege (capability "i") from users "anonymous" and "nobody" on the User Configuration page.

  7. WARNING: Anonymous users can act as moderators for wiki, tickets, or forum posts. This defeats the whole purpose of moderation. Fix this by removing the "Mod-Wiki", "Mod-Tkt", and "Mod-Forum" privileges (capabilities "fq5") from users "anonymous" and "nobody" on the User Configuration page.

  8. WARNING: One or more users has the obsolete "d" capability. You should remove it using the User Configuration page in case we ever reuse the letter for another purpose.

  9. WARNING: Anonymous users can create or edit wiki without moderation. This can result in robots inserting lots of wiki spam into repository. Fix this by removing the "New-Wiki" and "Write-Wiki" privileges from users "anonymous" and "nobody" on the User Configuration page or by enabling wiki moderation on the Moderation Setup page.

  10. WARNING: Anonymous users can create forum posts that are accepted into the permanent record without moderation. This can result in robots generating spam on forum posts. Fix this by removing the "WriteTrusted-Forum" privilege (capabilities "456") from users "anonymous" and "nobody" on the User Configuration page or

  11. WARNING: Anonymous users can send announcements to anybody who is signed up to receive announcements. This can result in spam. Fix this by removing the "Announce" privilege (capability "A") from users "anonymous" and "nobody" on the User Configuration page or

  12. WARNING: Administrative privilege ('a' or 's') is granted to an entire class of users: anonymous and developer and nobody and reader. Administrative privilege should only be granted to specific individuals.

  13. Users with administrator privilege are: keinnys_celis, anonymous, nobody, developer, reader, offray

  14. WARNING: Administrator privilege is granted to 6 users. Ideally, administrator privilege ('s' or 'a') should only be granted to one or two users.

  15. Users with "Write-Unver" privilege: keinnys_celis, offray

  16. The User Log is disabled. The user log keeps a record of successful and unsuccessful login attempts and is useful for security monitoring.

  17. The Administrative Log is disabled. The administrative log provides a record of configuration changes and is useful for security monitoring.

  18. Unable to get the system load average. This can prevent Fossil from throttling expensive operations during peak demand. If running in a chroot jail on Linux, verify that the /proc filesystem is mounted within the jail, so that the load average can be obtained from the /proc/loadavg file.

  19. The server error log is disabled. To set up an error log, make an entry like "errorlog: FILENAME" in the CGI script at /web/customers/chiselapp.com/repos/keinnys_celis/repository.

  20. User capability summary:

     CodeForumTicketsWikiChatUnversioned Content
    "nobody" write write write write off read
    "anonymous" write write write write off read
    "reader" write write write write off read
    "developer" write write write write off read
    New User Default write write write write off read
    Regular User write write write write off write
    5 Administrators write write write write off write

  21. Content Security Policy:

    1. *

  22. Email alerts are disabled

  23. The command that generated this page:

    /root/bin/fossil-2.22-tcl repository
This page was generated in about 0.011s by Fossil 2.22 [66ee0beb9b] 2023-05-31 15:26:08