[pmwiki-users] Need some help with a wiki.d security breach

Patrick R. Michaud pmichaud at pobox.com
Sat Nov 4 09:34:33 CST 2006


On Thu, Nov 02, 2006 at 12:00:49PM -0500, John Coxon wrote:
> On Nov 2, 2006, at 11:11 AM, Patrick R. Michaud wrote:
> >On Thu, Nov 02, 2006 at 10:49:50AM -0500, John Coxon wrote:
> >>My site is password protected. If the password were somehow obtained
> >>would that enable one to install the script in wiki.d through an
> >>edit?
> >
> >Not as written here.  PmWiki would've changed the page name to be
> >'Email.Php', as well as written the file in the page store format
> >(which protects against raw HTML or PHP scripts).  So, the file
> >arrived in wiki.d/ via some other vector.
> 
> Where might I look for that other vector? The file was installed as  
> owner = apache and group = apache and permissions = 644 just like all  
> the other files in wiki.d. An earlier version was installed a few  
> days ago as mail.php and later the same day, after considerable use,  
> the contents were deleted and permissions set to 600.

It could be coming from almost any web script that is running on
the server.  Beyond that it's pretty hard to track it down precisely.

> >What about the .htaccess file that is supposed to be in wiki.d/ --
> >is it there, or has it disappeared?
> 
> The .htaccess file is present and contains:
> 
> Order Deny,Allow
> Deny from all

I'm guessing that the webserver is configured to ignore .htaccess
files in directories.  Ouch.

Pm




More information about the pmwiki-users mailing list