BestPracticeTip26 < Support

You are here: Foswiki>Support Web>BestPracticeTips>BestPracticeTip26 (revision 5) (raw view)

---++ Problem
When a Foswiki installation is publicly accessible from the internet, and you need to allow registrations, this inevitably attracts spammers. Even if you restrict permissions so that newly registered users cannot change or add any content, they can still use the fields provided in the System.UserRegistration form to create keyword/link spam or, on Foswiki versions 1.1.4 and earlier, malicious HTML/script code (see [[Support.SecurityAlert-CVE-2012-1004]]).

---++ Context
The default user registration mechanism is in use, and it is set up to allow registrations. Additionally, the installation is public, and public registrations need to be supported.

---++ Solution
Prevent the user registration process from creating a reward for the spammer: restrict VIEW access on new user topics, so that search engines do not index the content, and prevent innocent clicks to the user topic from potentially exposing them to malicious script (but do ensure your Foswiki installation is up-to-date).

Customize your existing [[System.NewUserTemplate]] by copying it to =Main.NewUserTemplate=, and add something like the following:
<pre class="tml"><literal>
---++ Temporary restrictions
This user ([[%<nop>WIKIUSERNAME%][%<nop>WIKINAME%]]) needs to be added to a [[WikiGroups][WikiGroup]], then the following restrictions should be removed by somebody from the Main.ModeratorGroup:
&nbsp;&nbsp;&nbsp;* Set ALLOWTOPICVIEW = Main.ModeratorGroup, %<nop>WIKIUSERNAME%
&nbsp;&nbsp;&nbsp;* Set ALLOWTOPICCHANGE = Main.ModeratorGroup</literal></pre>

---++ Known Uses
http://wiki.trin.org.au

---++ Known Limitations
Removing bogus/spammer user topics needs to be coordinated with removal of the corresponding username/pass/email lines from the =.htpasswd= file (if using the default =HtPasswdUser= password manager).

---++ See Also
   * [[Support.Faq12]] - How to manually approve registrations
   * [[Tasks.Item11501]]
   * [[Support.SecurityAlert-CVE-2012-1004]]
   * FaqSecureFoswikiAgainstAttacks

BestPracticeTipsForm edit

Category	Installation and Upgrading
Related Topics	Faq12

Topic revision: r5 - 27 Mar 2012, CrawfordCurrie

Support

Quick Links

Tools

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement.