## March 15, 2008

### Phun with Rails

Content-management systems that produce well-formed XHTML are not exactly thick on the ground. When it comes to Wiki software, there’s my branch of Instiki and, … umh ….

Which means that Instiki gets more than its share of attention from those interested in the question of whether XHTML is suitable for the Web.

Philip Taylor has been tireless in poking holes in various peoples’ XHTML implementations. Recently, Philip found a pair of issues in Instiki. Both were quickly fixed, but they illustrate my general maxim that any instance of a well-formedness issue is very likely an XSS issue as well.

Of the two issues that Philip found, the more serious one had to do with the author IP Address displayed at the bottom of each wiki page, next to the author’s name. What could be dangerous about an IP Address?, you ask. Well, in this case, it’s generated using Rails’s request.remote_ip method. And that, in turn, uses the HTTP Client-Ip header, if one has been set.

Install, say, Firefox’s Modify Headers extension, and you can set the Client-Ip header to whatever the heck you want. As Philip ably demonstrated, this can make the targeted page ill-formed, but it can equally-well be used to inject an XSS attack.

Arguably, Rails itself should take care that this method returns an actual IP address, rather than arbitrary garbage, but it’s easy enough to fix at the application level.

require 'resolv'
def remote_ip
ip = request.remote_ip
logger.info(ip)
ip.gsub!(Regexp.union(Resolv::IPv4::Regex, Resolv::IPv6::Regex), '\0') || 'bogus address'
end

Anyway, the bottom line is: if you’re using my branch of Instiki, please upgrade immediately to version 0.14pre(MML+).

If you’re using the main branch of Instiki, I have committed the requisite fixes to SVN Source Tree and contacted the maintainer (twice). Presumably, he will roll out a security update.

#### Update (3/17/2008):

Matthias has released new version of the main branch of Instiki, with the fixes rolled in.
Posted by distler at March 15, 2008 9:43 AM

TrackBack URL for this Entry:   http://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/1634

## 4 Comments & 0 Trackbacks

### Re: Phun with Rails

I was wondering if I updated the instiki do I have to add everything back on the wiki or will it just do an update without changing anything

Posted by: julio on March 27, 2008 1:44 PM | Permalink | Reply to this

### Upgrading

I was wondering if I updated the instiki do I have to add everything back on the wiki or will it just do an update without changing anything

I gave fairly detailed upgrade instructions for my branch (you didn’t say which you are using). Easier still is to run my branch, straight out of BZR.

Posted by: Jacques Distler on March 27, 2008 2:04 PM | Permalink | PGP Sig | Reply to this

### Re: Upgrading

I am actually running a windows
based instiki. All through the command prompt. I have an older version but just want to up date it. I see that on your site you have Mac and Linux instructions but not Windows MSDOS instructions

Posted by: julio on March 27, 2008 3:46 PM | Permalink | Reply to this

### Re: Phun with Rails

I’ve been thinking about using Instiki for storing notes. How would you rate it against others such as Mediawiki and Tikiwiki?

Posted by: ZenSunni on March 31, 2008 7:31 AM | Permalink | Reply to this

Post a New Comment