[Pmwiki-users] Easily Hackable?
H. Fox
haganfox
Sun Apr 4 13:35:00 CDT 2004
Steven Leite wrote:
>>You could create an arbitrary group of users for any purpose just by
>>editing the htgroups file.
>
> Just my two bits. What if this htgroups file was actually a Wiki page that
> was password protected by the WikiAdmin ? If that's possible, it would
> make things a lot easier (to add/edit/remove users from the list)
It would also mean you'd need to make changes in two places if you're
already using htgroups on the server.
It would also put your security files somewhere writable by web server
user, which seems unacceptably non-secure. The .htgroups file can (and
should) be located in a non-writable directory outside the web document
tree.
That second consideration is true of any security scheme that can be
controlled through the wiki. Could there be a way to revert to a
previous state in case of malicious damage, such as with a Wiki Page?
Could something like GPG be used on the security files to render them
useless to a rogue Perl script that might find them on the server?
Hagan
More information about the pmwiki-users
mailing list