[Pmwiki-users] Easily Hackable?

H. Fox haganfox
Thu Apr 1 00:02:37 CST 2004


I whipped up an example.

First, the editable wiki.  It's secured using HTTP authentication 
(.htaccess/.htpasswd).  The password is md5 hashed on the filesystem 
outside the document root.  I'm not sure whether it can be sniffed, but 
I don't think so.  If so, that could probably be beefed up (SSL?).

http://www.cis-dept.com/support/yta46tbs/
username: wikiuser
password: wiki

Next, the public wiki.  It shares three directories with the editable 
wiki using symlinks (see the directory tree listing below my sig). 
Maybe symlinking only wiki.d/ wold be smarter?  Is "symlink" a verb?

http://www.cis-dept.com/support/x75snwne/

This one has a sitewide "edit" password.

Obviously the sky's the limit when it comes to what the two versions of 
the wiki look like.

Another thing: Since you need to log in using HTTP-auth to edit the 
wiki, the username is in the headers -- meaning it presumably could be 
forcefully used for author tracking.  Is that so?

So... is this "easily hackable" or "hardly hackable"?

Hagan

public_html/
|-- x75snwne
|   |-- COPYING
|   |-- index.php
|   |-- local
|   |   |-- README
|   |   |-- config.php
|   |   `-- sample-config.php
|   |-- pmwiki.php
|   |-- pub
|   [...]
|   |-- scripts -> ../yta46tbs/scripts       <== symlink
|   |-- wiki.d -> ../yta46tbs/wiki.d/        <== "
|   `-- wikilib.d -> ../yta46tbs/wikilib.d   <== "
`-- yta46tbs
     |-- .htaccess
     |-- COPYING
     |-- index.php
     |-- local
     |   |-- README
     |   |-- config.php
     |   `-- sample-config.php
     |-- pmwiki.php
     |-- pub
     |   [...]
     |-- scripts
     |   |-- author.php
     |   [...]
     |   `-- wikistyles.php
     |-- wiki.d
     |   |-- Main.AllRecentChanges
     |   |-- Main.RecentChanges
     |   `-- Main.WikiSandbox
     `-- wikilib.d
         |-- Main.GroupAttributes
         [...]
         `-- PmWiki.WinDiff

H. Fox wrote:

> Do the client's wiki pages need to be publicly editable?
> 
> If not, how about having the public pages exist on a read-only version 
> of the wiki and the editable, read-write version behind a firewall 
> and/or in a password-protected directory on an SSL server?
> 
> You could use HTTP authentication by group and give people their 
> individual user passwords that way, correct?.  How to replicate is an 
> implementation detail -- maybe use rsync or even mirrordir.  The point 
> is: it should be possible / practicable to have a read only public 
> version and a read-write private version of the same site.
> 
> Another possibility: Could the same wiki.d directory somehow be 
> read-only for the public wiki and read-write for the password-protected 
> version?
> 
> Hagan
> 
> Greg Morgan wrote:
> 
>> KC Patrick wrote:
[snip]




More information about the pmwiki-users mailing list