Aspects of PmWiki security are found on the following pages: Pages distributed in a PmWiki release:
Cookbook pages
How do I report a possible security vulnerability of PmWiki? Pm wrote about this in a post to pmwiki-users from September 2006. In a nutshell he differentiates two cases:
See his post mentioned above for details and rationals. What about the botnet security advisory at https://isc.sans.edu/diary/Reports+of+Bots+exploiting+pmwiki+and+tikiwiki/1672? Sites that are running with PHP's register_globals setting set to "On" and versions of PmWiki prior to 2.1.21 may be vulnerable to a botnet exploit that is taking advantage of a bug in PHP. The vulnerability can be closed by turning register_globals off, upgrading to PmWiki 2.1.21 or later, or upgrading to PHP versions 4.4.3 or 5.1.4. Wiki Vandalism and Spam
How do I stop pages being deleted, eg password protect a page from deletion? Use Cookbook:DeleteAction and password protect the page deletion action by adding or to require the edit or admin password respectively.
How do I stop pages being replaced with an empty (all spaces) page? Add how do I stop pages being completely replaced by an inane comment such as excellent site, great information, where the content cannot be blocked? Try using the newer automatic blocklists that pull information and IP addresses about known wiki defacers. (OR) Try using Cookbook:Captchas or Cookbook:Captcha (note these are different). (OR) Set an edit password, but make it publicly available on the Site.AuthForm template. How do I password protect the creation of new groups? See Cookbook:Limit Wiki Groups How do I password protect the creation of new pages? See Cookbook:Limit new pages in Wiki Groups How do I take a whitelist approach where users from known or trusted IP addresses can edit, and others require a password? Put these lines to ## Allow passwordless editing from own turf, pass for others. if ($action=='edit' && !preg_match("/^90\\.68\\./", $_SERVER['REMOTE_ADDR']) ) { $DefaultPasswords['edit'] = pmcrypt('foobar'); } Replace For a single IP, you may use if($_SERVER['REMOTE_ADDR'] == '127.0.0.1') { # your IP address here $_POST['authpw'] = 'xxx'; # the admin password } Please note the security issues: this means that you have your admin passwords in clear in See also Cookbook:AuthDNS & Cookbook:PersistentLogin How do I password protect page actions? See Passwords for setting in
or
How do I moderate all postings? Enable PmWiki.Drafts
How do I make a read only wiki? In How do I restrict access to uploaded attachments? See
How do I hide the IP addresses in the "diff" pages? If the user fills an author name, the IP address is not displayed. To require an author name, set in The IP address can also be seen in a tooltip title when the mouse cursor is over the author name. To disable the tooltip, set in $DiffStartFmt = "<div class='diffbox'><div class='difftime'><a name='diff\$DiffGMT' href='#diff\$DiffGMT'>\$DiffTime</a> \$[by] <span class='diffauthor'>\$DiffAuthor</span> - \$DiffChangeSum</div>"; How do I stop some Apache installations executing a file which has ".php", ".pl" or ".cgi" anywhere in the filename Use How do I stop random people from viewing the ?action=source (wiki markup) of my pages? I have See How do I set a global password to resist spambots, and informed humans of the password? |