[pmwiki-users] Customer queries

Tegan Dowling tmdowling at gmail.com
Wed Apr 5 09:19:23 CDT 2006


On 4/5/06, Patrick R. Michaud <pmichaud at pobox.com> wrote:
>
> On Wed, Apr 05, 2006 at 08:24:56AM -0500, Tegan Dowling wrote:
> >    We have a proposal out to a customer who is asking some security
> questions
> >    that I don't fully understand.  Can anyone enlighten me about how to
> >    answer these?
> >
> >      1)   Has the application been ethically hacked? If so by whom and
> can we
> >      have a copy of the report?
>
> Depends on what one means by "hacked".  Some people would regard
> wiki-vandalism as a form of hacking, but technically it's within
> PmWiki's normal operating parameters.
>
> But to answer the question, I'm not aware of any cases where
> PmWiki has ever been used to obtain server-level access, and
> I'm not aware of any instances of page-level vandalism on a site
> that has appropriate passwords set.
>
> There have been a couple of cross-site-scripting vulnerabilities
> in previous versions of PmWiki, but these are rapidly fixed.
> Try a search for "pmwiki" at www.securityfocus.com to see the
> reports.
>
> >      2)   Can the application support SSL?
>
> Yes.  Usually this requires explicitly setting the $ScriptUrl
> and $PubDirUrl variables, but it's not difficult.
>
> >      3)   Does the application have an API? What security is
> >      provided through this?
>
> Again, the answer depends on what one means by an "API".
> At the web-level, PmWiki's API is its web interface -- i.e.,
> one can interact with PmWiki only through the commands available
> via HTTP post and get requests, and each page access is
> checked for appropriate authorization before proceding.
>
> At the scripting level, PmWiki's API would be the various
> configuration variables and customization options that exist.
> PmWiki provides a number of functions and customization hooks
> to allow a script or site to alter its security profile.


Many thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/pmwiki-users/attachments/20060405/b3f56c7c/attachment.html 


More information about the pmwiki-users mailing list