Problem
When a Foswiki installation is publicly accessible from the internet, and you need to allow registrations, this inevitably attracts spammers. Even if you restrict permissions so that newly registered users cannot change or add any content, they can still use the fields provided in the
UserRegistration form to create keyword/link spam or, on Foswiki versions 1.1.4 and earlier, malicious HTML/script code (see
Support.SecurityAlert-CVE-2012-1004).
Context
The default user registration mechanism is in use, and it is set up to allow registrations. Additionally, the installation is public, and public registrations need to be supported.
Solution
Prevent the user registration process from creating a reward for the spammer: restrict VIEW access on new user topics, so that search engines do not index the content, and prevent innocent clicks to the user topic from potentially exposing them to malicious script (but do ensure your Foswiki installation is up-to-date).
Customize your existing
System.NewUserTemplate by copying it to
Main.NewUserTemplate
, and add something like the following:
---++ Temporary restrictions
This user ([[%WIKIUSERNAME%][%WIKINAME%]]) needs to be added to a [[WikiGroups][WikiGroup]], then the following restrictions should be removed by somebody from the Main.ModeratorGroup:
* Set ALLOWTOPICVIEW = Main.ModeratorGroup, %WIKIUSERNAME%
* Set ALLOWTOPICCHANGE = Main.ModeratorGroup
Known Uses
http://wiki.trin.org.au
Known Limitations
Removing bogus/spammer user topics needs to be coordinated with removal of the corresponding username/pass/email lines from the
.htpasswd
file (if using the default
HtPasswdUser
password manager).
See Also