[pmwiki-users] Infected Cookbook Recipes?
Neil Herber (nospam)
nospam at eton.ca
Sun Sep 21 18:15:22 CDT 2008
kirpi at kirpi.it wrote:
> While I see pmwiki site under spam attack, and after having restored a
> couple of web pages, I'm troubling myself with the following
> (dreadful) thought: is there a sort of security
> lock/code/flag/hash/signature/whatever allowing people to trust
> (somehow) the recipes the community upload/download and let run inside
> its servers?
> Live example: I trust Hans and, due to the very many enhancements and
> updates of Fox over time, I often happen to download and let the
> latest Fox run at my site. Of course there is no way for me to
> scrutinize the code (far too technical), so: how do I know that any
> John Hacker hasn't just uploaded a malicious version of Fox, with that
> couple of lines added which are perhaps enough to open a backdoor or
> do harm in any way?
> In case there is no security barrier at all, I humbly suggest some ad
> hoc brainstorming should be welcome.
I suppose authors could post an MD5 hash of the cookbook item, but in an
area strictly under their control, otherwise the cracker would just
upload a new MD5 along with the malicious script.
For example, Hans could post the MD5 hashes on his website for the
cookbook entries he has on the PmWiki site.
However, any such scheme means more work for the authors.
(Whoops! Sent original to Luigi only. Sorry.)
Corporate info at http://www.eton.ca/
More information about the pmwiki-users