[pmwiki-users] Moving PmWiki session out of /tmp
Joachim Durchholz
jo at durchholz.org
Mon Nov 28 05:47:18 CST 2005
Thomas -Balu- Walter schrieb:
> On Mon, Nov 28, 2005 at 09:39:21AM +0100, Joachim Durchholz wrote:
>
>>Ben Wilson schrieb:
>>
>>>Now to see if somehow the hacker finds access
>>>to that directory. :-)
>>
>>Disallow WWW access to that directory.
>
> That won't help. If the attacker can include a remote file (aka
> include('http://...');) then he can access any file the webserver can.
AFAIK Apache won't serve a file through include('http://...') if the
directory with that file is protected by the given .htaccess incantations.
You'd need to include('/path/to/pmwiki/uploads/nasty.php') or something
similar to get around that restriction. AFAIK that's nothing that PmWiki
can be tricked into doing (unless you have installed something like that
in config.php or with a recipe - though I'm not aware of any recipe that
does that).
> There are lots of examples for PHP based file browsers that enable to
> walk through a webservers directory structure just like windows users do
> in the Explorer.
Sure. I wrote such a thing myself; I even wrote one that would run
arbitrary shell commands. No rocket science involved.
That's why allowing visitors to inject PHP code is a bad idea. I just
don't think that it's possible to inject PHP code into a reasonably
configured PmWiki installation.
Regards,
Jo
More information about the pmwiki-users
mailing list