[pmwiki-users] Security breach?

Radu Luchian radu at monicsoft.net
Mon Dec 22 17:08:25 CST 2008


Yes, it's true. On the page you're pointing to, you missed this text:

"Important: If you used method 3b, you should reset permissions by executing
"chmod 755 ." in the directory containing pmwiki.php."

Cheers,
Radu

On Mon, Dec 22, 2008 at 2:00 PM, adam overton <a at plus1plus1plus.org> wrote:

>
> hi, is this true?
>
> > Either way, don't set
> > anything to 777.
>
>
> b/c the installation instructions for pmwiki (http://pmwiki.org/wiki/
> PmWiki/Installation) say setting uploads and wiki.d to 777. should
> they be 775 instead? just wondering if there's any consensus on this
> before i go start twiddling, changing permissions...
>
> thx
> adam
>
>
> > Message: 6
> > Date: Mon, 22 Dec 2008 10:25:35 -0500
> > From: DaveG <pmwiki at solidgone.com>
> > Subject: Re: [pmwiki-users] Security breach?
> > To: jamesm1415 at googlemail.com, pmwiki-users at pmichaud.com
> > Message-ID: <4a708741ac82d970e15efebd74de3dd0 at solidgone.com>
> > Content-Type: text/plain; charset="UTF-8"
> >
> >
> >> What happens is that the hackers use the uploads directory
> >> (with 777 permissions) to upload php files, and then it seems
> >> these php
> >> files can be used to access other parts of the filesystem (if I
> > understood
> > <...snip...>
> >> If a directory has 777 permissions, is there anything to stop someone
> >> putting an arbitrary file there??
> > Not sure why you have directories set to 777; my uploads and wiki.d
> > directories are all 775; most other directories are 755. Not sure
> > why some
> > are 775 -- I suspect they could be changed to 755. Either way,
> > don't set
> > anything to 777.
> >
> >  ~ ~ Dave
> >
> >
> >
> > ------------------------------
> >
> > Message: 7
> > Date: Mon, 22 Dec 2008 13:45:52 -0200
> > From: Guillermo Calderon - INCO <calderon at fing.edu.uy>
> > Subject: [pmwiki-users] question about Cookbook/SwitchToSSLMode
> > To: pmwiki-users at pmichaud.com
> > Message-ID: <giocng$pgv$1 at ger.gmane.org>
> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> >
> >
> > Hi all;
> > I was reading the page Cookbook/SwitchToSSLMode.
> > There, a complex solution is described in order to "only actions where
> > passwords are likely to be passed are sent via SSL"
> >
> > However, "The example assumes there are not read-protected pages,
> > since
> > any 'read' passwords entered to view a page would be sent via a non-
> > SSL
> > connection"
> >
> > It sounds too restricted since (almost) every wiki has some
> > read-protected pages and groups.
> >
> > I have implemented a very simple solution where only passwords are
> > sent
> >    via SSL and the other posts are sent via http.
> > In config.php:
> >
> > SDVA($InputTags['auth_form'], array(
> >     ':html' => "<form
> >          action='https://{$_SERVER['HTTP_HOST']}{$_SERVER
> > ['REQUEST_URI']}'
> >          method='post'
> >          name='authform'>\$PostVars"));
> >
> > This way the action field of the auth-form sends  all the information
> > via https.
> >
> > My question:  does this solution really work?
> > (I think so, by I would like to be sure)
> >
> > Guillermo
> >
> >
> >
> >
> > ------------------------------
> >
> > _______________________________________________
> > pmwiki-users mailing list
> > pmwiki-users at pmichaud.com
> > http://www.pmichaud.com/mailman/listinfo/pmwiki-users
> >
> >
> > End of pmwiki-users Digest, Vol 42, Issue 19
> > ********************************************
>
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20081222/4488011b/attachment.html 


More information about the pmwiki-users mailing list