[pmwiki-users] Customer queries

[Patrick R. Michaud]

On Wed, Apr 05, 2006 at 08:24:56AM -0500, Tegan Dowling wrote:
>    We have a proposal out to a customer who is asking some security questions
>    that I don't fully understand.  Can anyone enlighten me about how to
>    answer these?
> 
>      1)   Has the application been ethically hacked? If so by whom and can we
>      have a copy of the report?

Depends on what one means by "hacked".  Some people would regard
wiki-vandalism as a form of hacking, but technically it's within 
PmWiki's normal operating parameters.

But to answer the question, I'm not aware of any cases where
PmWiki has ever been used to obtain server-level access, and
I'm not aware of any instances of page-level vandalism on a site
that has appropriate passwords set.

There have been a couple of cross-site-scripting vulnerabilities
in previous versions of PmWiki, but these are rapidly fixed.
Try a search for "pmwiki" at www.securityfocus.com to see the
reports.

>      2)   Can the application support SSL?

Yes.  Usually this requires explicitly setting the $ScriptUrl
and $PubDirUrl variables, but it's not difficult.

>      3)   Does the application have an API? What security is 
>      provided through this?

Again, the answer depends on what one means by an "API".  
At the web-level, PmWiki's API is its web interface -- i.e., 
one can interact with PmWiki only through the commands available
via HTTP post and get requests, and each page access is
checked for appropriate authorization before proceding.

At the scripting level, PmWiki's API would be the various
configuration variables and customization options that exist.
PmWiki provides a number of functions and customization hooks
to allow a script or site to alter its security profile.

Pm