[Pmwiki-users] Easily Hackable?

Patrick R. Michaud pmichaud
Thu Apr 1 11:49:53 CST 2004


On Thu, Apr 01, 2004 at 12:06:49AM -0700, H. Fox wrote:
> First, the editable wiki.  It's secured using HTTP authentication 
> (.htaccess/.htpasswd).  The password is md5 hashed on the filesystem 
> outside the document root.  
> [...]
> Next, the public wiki.  It shares three directories with the editable 
> wiki using symlinks (see the directory tree listing below my sig). [...]
> This one has a sitewide "edit" password.
>
> So... is this "easily hackable" or "hardly hackable"?

Except for using HTTP-Digest authentication instead of HTTP-Basic, this
setup is not any more secure than simply password protecting pages with
PmWiki.  This would only be more hackable to someone who is able to
somehow watch the HTTP headers transferred between the client and 
server.

Also, instead of creating the symlinks I'd probably just create a
script to chdir to the editable wiki and run things from there.
You can see an example of this in the "Making a wiki script" section
of PmWiki.ChangePmWikiUrl (at least until I refactor that page in the
next couple of days).

> Another thing: Since you need to log in using HTTP-auth to edit the 
> wiki, the username is in the headers -- meaning it presumably could be 
> forcefully used for author tracking.  Is that so?

Sure.  If you're letting the webserver perform authentication, then 
just do:

   if (@$_SERVER['REMOTE_USER'])  $Author=$_SERVER['REMOTE_USER'];

Pm



More information about the pmwiki-users mailing list