Последние изменения - Поиск:

Новости
Хроника

2017-98-08-Deb:

2017-05-03-11-24-57:

2011-10-02:

2011-08-27:

2011-05-30:

2011-05-28:

2011-04-16:

2011-01-22:

2010-12-03-13-04-04:

2010-09-24:

2010-01-08:

2009-11-16:

2009-09-xx:

2008-01-25:

2007-09-28:

2007-04-21:

2007-04-13:

2006-12-01:

2006-09-22:

2006-09-06:

2006-04-20:

2006-03-XX:

2006-01-XX:

2006-01-28-04-57-02:

2005-09-23:

2005-08-12:

2005-01-24:

2004-09-24:

2004-05-13:

2003-12-08:

2003-04-04:

2002-02-22:

2002-01-25:

Архив


Старый сайт External Link to http://gaish78.narod.ru/
Хочу жить вечно External Link to http://virtualphotoalbum.tau-site.ru/2009_FFMeeting/index.htm

Security

Aspects of PmWiki security are found on the following pages:

Pages distributed in a PmWiki release:

  • Passwords General use of passwords and login
  • Passwords Admin More password options for the administrator
  • AuthUser Authorization system that uses usernames and passwords
  • Url Approvals Require approval of Url links
  • Site Analyzer External Link to http://www.pmwiki.org/wiki/PmWiki/Site%20Analyzer
  • Blocklist Blocking IP addresses, phrases, and expressions to counteract spam and vandalism.
  • Notify Allows a site administrator to configure PmWiki to send email messages whenever pages are changed on the wiki site
  • Security variables variables crucial for site security

How do I report a possible security vulnerability of PmWiki?

Pm External Link to http://www.pmichaud.com wrote about this in a post to pmwiki-users from September 2006 External Link to http://pmichaud.com/pipermail/pmwiki-users/2006-September/031793.html. In a nutshell he differentiates two cases:

  1. The possible vulnerability isn't already known publicly: In this case please contact us by private mail.
  2. The possible vulnerability is already known publicly: In this case feel free to discuss the vulnerability in public (e.g. on pmwiki-users External Link to http://www.pmichaud.com/mailman/listinfo/pmwiki-users or in the PITS External Link to http://www.pmwiki.org/wiki/PITS/PITS).

See his post mentioned above External Link to http://pmichaud.com/pipermail/pmwiki-users/2006-September/031793.html for details and rationals.

What about the botnet security advisory at http://isc.sans.org/diary.php?storyid=1672 External Link to http://isc.sans.org/diary.php?storyid=1672?

Sites that are running with PHP's register_globals setting set to "On" and versions of PmWiki prior to 2.1.21 may be vulnerable to a botnet exploit that is taking advantage of a bug in PHP. The vulnerability can be closed by turning register_globals off, upgrading to PmWiki 2.1.21 or later, or upgrading to PHP versions 4.4.3 or 5.1.4.
In addition, there is a test at PmWiki:SiteAnalyzer External Link to http://www.pmwiki.org/wiki/PmWiki/SiteAnalyzer that can be used to determine if your site is vulnerable.

Wiki Vandalism and Spam

Assumptions
you are using a Blocklist and Url approvals.
You don't want to resort to password protecting the entire wiki, that's not the point after all.
Ideally these protections will be invoked in config.php

How do I stop pages being deleted, eg password protect a page from deletion?

Use Cookbook:DeleteAction External Link to http://www.pmwiki.org/wiki/Cookbook/DeleteAction and password protect the page deletion action by adding $DefaultPasswords['delete'] = '*'; to config.php or password protect the action with $HandleAuth['delete'] = 'edit';

or $HandleAuth['delete'] = 'admin'; to require the edit or admin password respectively.

How do I stop pages being replaced with an empty (all spaces) page?

Add block: /^\s*$/ to your blocklist.

how do I stop pages being completely replaced by an inane comment such as excellent site, great information, where the content cannot be blocked?

Try using the newer automatic blocklists that pull information and IP addresses about known wiki defacers.

(OR) Try using Cookbook:Captchas External Link to http://www.pmwiki.org/wiki/Cookbook/Captchas or Cookbook:Captcha External Link to http://www.pmwiki.org/wiki/Cookbook/Captcha (note these are different).

(OR) Set an edit password, but make it publicly available on the Site.AuthForm template.

How do I password protect the creation of new groups?

See Cookbook:Limit Wiki Groups External Link to http://www.pmwiki.org/wiki/Cookbook/Limit%20Wiki%20Groups

How do I password protect the creation of new pages?

See Cookbook:Limit new pages in Wiki Groups External Link to http://www.pmwiki.org/wiki/Cookbook/Limit%20new%20pages%20in%20Wiki%20Groups

How do I take a whitelist approach where users from known or trusted IP addresses can edit, and others require a password?

Put these lines to local/config.php:

## Allow passwordless editing from own turf, pass for others.
if ($action=='edit'
 && !preg_match("/^90\\.68\\./", $_SERVER['REMOTE_ADDR']) )    
 { $DefaultPasswords['edit'] = crypt('foobar'); }

Replace 90.68. with the preferred network prefix and foobar with the default password for others.

For a single IP, you may use

if($_SERVER['REMOTE_ADDR'] == '127.0.0.1') { # your IP address here
 $_POST['authpw'] = 'xxx';                  # the admin password
}

Please note the security issues : this means that you have your admin passwords in clear in config.php and someone with access to the filesystem can read them (for example a technician of your hosting provider) ; your IP address may change from time to time (unless you have a fixed IP contract with your ISP). When that happens, someone with your old IP address will be logged in automatically as admin on your wiki. It is extremely unlikely to become a problem, but you should know it is possible ; if you are behind a router, all other devices which pass through that router will have the same IP address for PmWiki - your wifi phone, your wife's netbook, a neighbour using your wifi connection, etc. All these people become admins of your wiki. Again, you should evaluate if this is a security risk ; In some cases, your ISP will route your traffic through the same proxy as other people. In such a case, thousands of people may have the same IP address.

See also Cookbook:AuthDNS External Link to http://www.pmwiki.org/wiki/Cookbook/AuthDNS & Cookbook:PersistentLogin External Link to http://www.pmwiki.org/wiki/Cookbook/PersistentLogin

How do I password protect page actions?

See Passwords for setting in config.php

$HandleAuth['pageactionname'] = 'pageactionname'; # along with :
$DefaultPasswords['pageactionname'] = crypt('secret phrase');

or

$HandleAuth['pageactionname'] = 'anotherpageactionname';

How do I moderate all postings?

Enable PmWiki.Drafts

  • Set $EnableDrafts, this relabels the "Save" button to "Publish" and a "Save draft" button appears.
  • Set $EnablePublishAttr, this adds a new "publish" authorization level to distinguish editing from publishing.

How do I make a read only wiki?

In config.php set an "edit" password.

How do I restrict access to uploaded attachments?

See

How do I hide the IP addresses in the "diff" pages?

If the user fills an author name, the IP address is not displayed. To require an author name, set in config.php such a line:

  $EnablePostAuthorRequired = 1;

The IP address can also be seen in a tooltip title when the mouse cursor is over the author name. To disable the tooltip, set in config.php:

$DiffStartFmt = 
  "<div class='diffbox'><div class='difftime'><a name='diff\$DiffGMT' href='#diff\$DiffGMT'>\$DiffTime</a>
   \$[by] <span class='diffauthor'>\$DiffAuthor</span> - \$DiffChangeSum</div>";

How do I stop some Apache installations executing a file which has ".php", ".pl" or ".cgi" anywhere in the filename

Use $UploadBlacklist


This page may have a more recent version on pmwiki.org External Link to http://www.pmwiki.org: PmWiki:Security External Link to http://www.pmwiki.org/wiki/PmWiki/Security, and a talk page: PmWiki:Security-Talk External Link to http://www.pmwiki.org/wiki/PmWiki/Security-Talk.

Править - История - Печать - Последние изменения - Поиск
Редакция от 11.03.2013 03:54