[pmwiki-users] EnableDiag

Sandy sandy at onebit.ca
Thu Mar 1 13:41:59 CST 2007


Patrick R. Michaud wrote:
> On Thu, Mar 01, 2007 at 01:50:50PM -0500, Sandy wrote:
>> Reading the manual, it says you should not set it for production 
>> environments.
>>
>> Is this really such a large security hole? What info does it give 
>> malicious folks?
> 
> In general I don't think it's a large security hole.  Most if not
> all of my sites run in production mode with $EnableDiag set
> and as far as I know I haven't suffered any ill effects from it.
> 
> However, many people often have different perceptions of security
> and want as little information as possible (either "safe" or "dangerous")
> leaking from their site.  So, the general recommendation is to
> run with $EnableDiag turned off unless it's needed.
> 
> $EnableDiag adds ?action=phpinfo, ?action=diag, and ?action=ruleset
> to the available actions.  The kinds of information that might become
> available (and that a site admin might want to restrict) include:
> 
> ?action=phpinfo:  
>   * The version of PHP, the operating system, and web server software
>   * Settings for various PHP configuration variables (e.g., register_globals,
>     allow_url_fopen, any loaded modules)
>   * Environment variables and paths in use by the PHP scripts
> 
> ?action=ruleset:
>   * The names and sequence of any markup rules being used on the site
>   * Possibly information about loaded recipes
> 
> ?action=diag:  
>   * All global variables in effect at the time of execution
>   * Encrypted values of passwords set in $DefaultPasswords
>   * All markup patterns and replacement values
>   * Information about loaded recipes
>   * Locations and paths of various PmWiki files on the system
>   * Names and addresses stored in $AuthUser, $NotifyList, etc.
>   * $AuthLDAPBindDN and $AuthLDAPBindPassword (stored as cleartext)
> 
> Note that passwords held in $DefaultPasswords and $AuthUser
> are encrypted, so even if someone obtains the encrypted values
> they would still need to break the encryption to learn the
> actual passwords.
> 
> Hope this helps,
> 
> Pm

Enough that I'll block it when I remember, but not lose any sleep. 
Looks like they could either guess at it already (I doubt my host did 
anything too unique), or would need to know PmWiki's specific 
vulnerabilities. I don't think they can edit any of the other files even 
if they do know where they are.

So the big one is email addresses to spam. So far I'm the only one in 
$NotifyList, but if I do add someone that would be important.

Thanks!

Sandy









More information about the pmwiki-users mailing list