[Pmwiki-users] Easily Hackable?
H. Fox
haganfox
Thu Apr 1 00:02:37 CST 2004
I whipped up an example.
First, the editable wiki. It's secured using HTTP authentication
(.htaccess/.htpasswd). The password is md5 hashed on the filesystem
outside the document root. I'm not sure whether it can be sniffed, but
I don't think so. If so, that could probably be beefed up (SSL?).
http://www.cis-dept.com/support/yta46tbs/
username: wikiuser
password: wiki
Next, the public wiki. It shares three directories with the editable
wiki using symlinks (see the directory tree listing below my sig).
Maybe symlinking only wiki.d/ wold be smarter? Is "symlink" a verb?
http://www.cis-dept.com/support/x75snwne/
This one has a sitewide "edit" password.
Obviously the sky's the limit when it comes to what the two versions of
the wiki look like.
Another thing: Since you need to log in using HTTP-auth to edit the
wiki, the username is in the headers -- meaning it presumably could be
forcefully used for author tracking. Is that so?
So... is this "easily hackable" or "hardly hackable"?
Hagan
public_html/
|-- x75snwne
| |-- COPYING
| |-- index.php
| |-- local
| | |-- README
| | |-- config.php
| | `-- sample-config.php
| |-- pmwiki.php
| |-- pub
| [...]
| |-- scripts -> ../yta46tbs/scripts <== symlink
| |-- wiki.d -> ../yta46tbs/wiki.d/ <== "
| `-- wikilib.d -> ../yta46tbs/wikilib.d <== "
`-- yta46tbs
|-- .htaccess
|-- COPYING
|-- index.php
|-- local
| |-- README
| |-- config.php
| `-- sample-config.php
|-- pmwiki.php
|-- pub
| [...]
|-- scripts
| |-- author.php
| [...]
| `-- wikistyles.php
|-- wiki.d
| |-- Main.AllRecentChanges
| |-- Main.RecentChanges
| `-- Main.WikiSandbox
`-- wikilib.d
|-- Main.GroupAttributes
[...]
`-- PmWiki.WinDiff
H. Fox wrote:
> Do the client's wiki pages need to be publicly editable?
>
> If not, how about having the public pages exist on a read-only version
> of the wiki and the editable, read-write version behind a firewall
> and/or in a password-protected directory on an SSL server?
>
> You could use HTTP authentication by group and give people their
> individual user passwords that way, correct?. How to replicate is an
> implementation detail -- maybe use rsync or even mirrordir. The point
> is: it should be possible / practicable to have a read only public
> version and a read-write private version of the same site.
>
> Another possibility: Could the same wiki.d directory somehow be
> read-only for the public wiki and read-write for the password-protected
> version?
>
> Hagan
>
> Greg Morgan wrote:
>
>> KC Patrick wrote:
[snip]
More information about the pmwiki-users
mailing list