[pmwiki-users] Sandbox Hack -- Public Service Announcement

[Sandy]

Lock down your sandboxes. Someone has discovered how to find and spam 
them. Several thousand edits over a few hours, and the refresh didn't 
seem to happen. It used up our server time, and the processes were still 
running. (The host had to kill them manually, and reset our limits.)

It snuck past us because it was in the main pmwiki farmfield, not the 
personal fields we usually use. Notify wasn't turned on for the main field.

Question: How do I lock down the sandbox? It's been a long time since I 
activated it.

Also, the blocklist file is very short, even though I enabled it. Ideas? 
Now that they've found us, I need to pay more attention to it.

Using plain text files for the data was a great idea. No need to learn 
sql. I showed my husband, who knows nothing about pmwiki, the raw 
Main.Sandbox file, and he's now happily researching the ?ISP? addresses 
and other links. A lot of companies have, probably unknowingly, loaned a 
corner of their own sites to questionable groups.

I don't use PmWiki very much these days, but every time I do, it's like 
coming home. Working with it has taught me a lot about how to design a 
large, flexible program.