[pmwiki-users] Security breach?

Rogutės rogutes at googlemail.com
Mon Dec 22 04:43:54 CST 2008

James M (2008-12-21 22:45):
> I've just found that there are also similar mystery php files in the
>  pub/skins/W directory - and this does not have 777 permissions.
> And the extra link had been written to W.tmpl in that skins directory.
> How could that happen?  It certainly wasn't me, and I'm the only one who
> knows the admin password! And the only one who has (legal) access to the
> unix directories on the host.
> Any comments?
> Thanks,    James


Yes, it is a security breach. You should also check (and perhaps post)
the dates and owners/groups of all these 'mysterious' files.

If the server you are using is providing shared hosting, maybe you
should contact the owner of the server - he might be willing to

For one thing, you shouldn't be using the same password with PmWiki and
the one you are using to access unix directories on the host (and
perhaps you aren't, I'm just guessing).

Also, check the access logs (the attacker might have tried to access
these php files he created)!

Could you compress and attach the php files you deem suspicious (by
indicating were you found them and under what permissions)?

If you believe the server is clean and this is a problem with your
account only, you could try to clean up like this:

1. Backup:
    * WikiWord.WikiWord files in wiki.d/ (without .php or any other
      suffix and excluding Site.AuthUser)
    * All files you know from uploads/
    * The skin template, but only if you customized it (otherwise just
      re-download it)
    * local/ configuration files

2. Wipe out the PmWiki installation.
3. Change your admin password on the server.
4. Proofread the skin and config files you backed up.
5. Edit your config.php: disable AuthUser, change the 'upload', 'edit',
   'admin' passwords.
6. Reinstall clean PmWiki from pmwiki.org.
7. Carefully restore your backups.

--  Rogutės nuo kalniuko.

More information about the pmwiki-users mailing list