Fixing trac vandalism


Trac is especially prone to wiki vandalism. Worse thing, it is isn’t obvious how to fix the problem.

Attacks are often embedded in hidden html:

	1 	 {{{   
  	2 	  #!html  

You need to have access to the trac-admin CLI.

trac-admin /home/hendry/trac permission list                                                                     
trac-admin /home/hendry/trac permission remove anonymous  WIKI_CREATE                                            
trac-admin /home/hendry/trac permission remove anonymous  WIKI_MODIFY                                            
trac-admin /home/hendry/trac permission remove anonymous  WIKI_VIEW                                              
trac-admin /home/hendry/trac permission remove anonymous  TICKET_CREATE                                          
trac-admin /home/hendry/trac permission remove anonymous  TICKET_MODIFY                                          
trac-admin /home/hendry/trac permission help                                                                     
trac-admin /home/hendry/trac permission add anonymous  WIKI_VIEW                                                 
trac-admin /home/hendry/trac permission list                                                                     
trac-admin /home/hendry/trac permission add hendry WIKI_ADMIN

Trac defaults of WIKI_CREATE and WIKI_MODIFY for anonymous is just ripe for abuse. Notice the user hendry has to be created with htpasswd. That’s how users are managed with trac. Seems like a good idea at first, but it seems all too often a point of confusion. See my /etc/apache2/sites-enabled/001-trac for more clues.

Once I set myself up as WIKI_ADMIN I could only then “Delete this version” of the vandalised pages and roll/revert the page back to the original. This is a very frustrating procedure if the site has been vandalised numerous times! Use the timeline to delete each revision containing spam.

Use RSS to track attacks. Here is an example of a feed URL:


If you like this, you might like the stateless Web kiosk software I develop. Webconverger typically replaces Windows on PCs and is deployed in public and business environments for ease of deployment and privacy. Once installed it auto-updates making it painless to maintain. Try it where you exclusively use the only viable open platform... the Web!