IMG_4151.JPG

Trac is especially prone to wiki vandalism. Worse thing, it is isn’t obvious how to fix the problem.

Attacks are often embedded in hidden html:

    1    {{{   
    2     #!html  
    3     
    4    

You need to have access to the trac-admin CLI.

trac-admin /home/hendry/trac permission list                                                                     
trac-admin /home/hendry/trac permission remove anonymous  WIKI_CREATE                                            
trac-admin /home/hendry/trac permission remove anonymous  WIKI_MODIFY                                            
trac-admin /home/hendry/trac permission remove anonymous  WIKI_VIEW                                              
trac-admin /home/hendry/trac permission remove anonymous  TICKET_CREATE                                          
trac-admin /home/hendry/trac permission remove anonymous  TICKET_MODIFY                                          
trac-admin /home/hendry/trac permission help                                                                     
trac-admin /home/hendry/trac permission add anonymous  WIKI_VIEW                                                 
trac-admin /home/hendry/trac permission list                                                                     
trac-admin /home/hendry/trac permission add hendry WIKI_ADMIN

Trac defaults of WIKI_CREATE and WIKI_MODIFY for anonymous is just ripe for abuse. Notice the user hendry has to be created with htpasswd. That’s how users are managed with trac. Seems like a good idea at first, but it seems all too often a point of confusion. See my /etc/apache2/sites-enabled/001-trac for more clues.

Once I set myself up as WIKI_ADMIN I could only then “Delete this version” of the vandalised pages and roll/revert the page back to the original. This is a very frustrating procedure if the site has been vandalised numerous times! Use the timeline to delete each revision containing spam.

Use RSS to track attacks. Here is an example of a feed URL:


http://webpy.org/track/timeline?daysback=90&max=50&wiki=on&ticket=on&changeset=on&milestone=on&format=rss

211.216.146.170
I’ll just nod my head and pretend like I understand.
Comment by Katherine