Yes, it's true. On the page you're pointing to, you missed this text:<br><br>"Important: If you used method 3b, you should reset permissions by executing "<code class="escaped">chmod 755 .</code>" in the directory containing pmwiki.php."<br>
<br>Cheers,<br>Radu<br><br><div class="gmail_quote">On Mon, Dec 22, 2008 at 2:00 PM, adam overton <span dir="ltr"><<a href="mailto:a@plus1plus1plus.org">a@plus1plus1plus.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
hi, is this true?<br>
<br>
> Either way, don't set<br>
> anything to 777.<br>
<br>
<br>
b/c the installation instructions for pmwiki (<a href="http://pmwiki.org/wiki/" target="_blank">http://pmwiki.org/wiki/</a><br>
PmWiki/Installation) say setting uploads and wiki.d to 777. should<br>
they be 775 instead? just wondering if there's any consensus on this<br>
before i go start twiddling, changing permissions...<br>
<br>
thx<br>
adam<br>
<br>
<br>
> Message: 6<br>
> Date: Mon, 22 Dec 2008 10:25:35 -0500<br>
> From: DaveG <<a href="mailto:pmwiki@solidgone.com">pmwiki@solidgone.com</a>><br>
> Subject: Re: [pmwiki-users] Security breach?<br>
> To: <a href="mailto:jamesm1415@googlemail.com">jamesm1415@googlemail.com</a>, <a href="mailto:pmwiki-users@pmichaud.com">pmwiki-users@pmichaud.com</a><br>
> Message-ID: <<a href="mailto:4a708741ac82d970e15efebd74de3dd0@solidgone.com">4a708741ac82d970e15efebd74de3dd0@solidgone.com</a>><br>
> Content-Type: text/plain; charset="UTF-8"<br>
><br>
><br>
>> What happens is that the hackers use the uploads directory<br>
>> (with 777 permissions) to upload php files, and then it seems<br>
>> these php<br>
>> files can be used to access other parts of the filesystem (if I<br>
> understood<br>
> <...snip...><br>
>> If a directory has 777 permissions, is there anything to stop someone<br>
>> putting an arbitrary file there??<br>
> Not sure why you have directories set to 777; my uploads and wiki.d<br>
> directories are all 775; most other directories are 755. Not sure<br>
> why some<br>
> are 775 -- I suspect they could be changed to 755. Either way,<br>
> don't set<br>
> anything to 777.<br>
><br>
> ~ ~ Dave<br>
><br>
><br>
><br>
> ------------------------------<br>
><br>
> Message: 7<br>
> Date: Mon, 22 Dec 2008 13:45:52 -0200<br>
> From: Guillermo Calderon - INCO <<a href="mailto:calderon@fing.edu.uy">calderon@fing.edu.uy</a>><br>
> Subject: [pmwiki-users] question about Cookbook/SwitchToSSLMode<br>
> To: <a href="mailto:pmwiki-users@pmichaud.com">pmwiki-users@pmichaud.com</a><br>
> Message-ID: <giocng$pgv$<a href="mailto:1@ger.gmane.org">1@ger.gmane.org</a>><br>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br>
><br>
><br>
> Hi all;<br>
> I was reading the page Cookbook/SwitchToSSLMode.<br>
> There, a complex solution is described in order to "only actions where<br>
> passwords are likely to be passed are sent via SSL"<br>
><br>
> However, "The example assumes there are not read-protected pages,<br>
> since<br>
> any 'read' passwords entered to view a page would be sent via a non-<br>
> SSL<br>
> connection"<br>
><br>
> It sounds too restricted since (almost) every wiki has some<br>
> read-protected pages and groups.<br>
><br>
> I have implemented a very simple solution where only passwords are<br>
> sent<br>
> via SSL and the other posts are sent via http.<br>
> In config.php:<br>
><br>
> SDVA($InputTags['auth_form'], array(<br>
> ':html' => "<form<br>
> action='https://{$_SERVER['HTTP_HOST']}{$_SERVER<br>
> ['REQUEST_URI']}'<br>
> method='post'<br>
> name='authform'>\$PostVars"));<br>
><br>
> This way the action field of the auth-form sends all the information<br>
> via https.<br>
><br>
> My question: does this solution really work?<br>
> (I think so, by I would like to be sure)<br>
><br>
> Guillermo<br>
><br>
><br>
><br>
><br>
> ------------------------------<br>
><br>
> _______________________________________________<br>
> pmwiki-users mailing list<br>
> <a href="mailto:pmwiki-users@pmichaud.com">pmwiki-users@pmichaud.com</a><br>
> <a href="http://www.pmichaud.com/mailman/listinfo/pmwiki-users" target="_blank">http://www.pmichaud.com/mailman/listinfo/pmwiki-users</a><br>
><br>
><br>
> End of pmwiki-users Digest, Vol 42, Issue 19<br>
> ********************************************<br>
<br>
<br>
_______________________________________________<br>
pmwiki-users mailing list<br>
<a href="mailto:pmwiki-users@pmichaud.com">pmwiki-users@pmichaud.com</a><br>
<a href="http://www.pmichaud.com/mailman/listinfo/pmwiki-users" target="_blank">http://www.pmichaud.com/mailman/listinfo/pmwiki-users</a><br>
</blockquote></div><br>