On 4/5/06, <b class="gmail_sendername">Patrick R. Michaud</b> <<a href="mailto:pmichaud@pobox.com">pmichaud@pobox.com</a>> wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On Wed, Apr 05, 2006 at 08:24:56AM -0500, Tegan Dowling wrote:<br>> We have a proposal out to a customer who is asking some security questions<br>> that I don't fully understand. Can anyone enlighten me about how to
<br>> answer these?<br>><br>> 1) Has the application been ethically hacked? If so by whom and can we<br>> have a copy of the report?<br><br>Depends on what one means by "hacked". Some people would regard
<br>wiki-vandalism as a form of hacking, but technically it's within<br>PmWiki's normal operating parameters.<br><br>But to answer the question, I'm not aware of any cases where<br>PmWiki has ever been used to obtain server-level access, and
<br>I'm not aware of any instances of page-level vandalism on a site<br>that has appropriate passwords set.<br><br>There have been a couple of cross-site-scripting vulnerabilities<br>in previous versions of PmWiki, but these are rapidly fixed.
<br>Try a search for "pmwiki" at <a href="http://www.securityfocus.com">www.securityfocus.com</a> to see the<br>reports.<br><br>> 2) Can the application support SSL?<br><br>Yes. Usually this requires explicitly setting the $ScriptUrl
<br>and $PubDirUrl variables, but it's not difficult.<br><br>> 3) Does the application have an API? What security is<br>> provided through this?<br><br>Again, the answer depends on what one means by an "API".
<br>At the web-level, PmWiki's API is its web interface -- i.e.,<br>one can interact with PmWiki only through the commands available<br>via HTTP post and get requests, and each page access is<br>checked for appropriate authorization before proceding.
<br><br>At the scripting level, PmWiki's API would be the various<br>configuration variables and customization options that exist.<br>PmWiki provides a number of functions and customization hooks<br>to allow a script or site to alter its security profile.
</blockquote></div><br>Many thanks!<br>