[pmwiki-users] Security breach?

adam overton a at plus1plus1plus.org
Mon Dec 22 15:00:01 CST 2008 

hi, is this true?

> Either way, don't set
> anything to 777.


b/c the installation instructions for pmwiki (http://pmwiki.org/wiki/ 
PmWiki/Installation) say setting uploads and wiki.d to 777. should  
they be 775 instead? just wondering if there's any consensus on this  
before i go start twiddling, changing permissions...

thx
adam


> Message: 6
> Date: Mon, 22 Dec 2008 10:25:35 -0500
> From: DaveG <pmwiki at solidgone.com>
> Subject: Re: [pmwiki-users] Security breach?
> To: jamesm1415 at googlemail.com, pmwiki-users at pmichaud.com
> Message-ID: <4a708741ac82d970e15efebd74de3dd0 at solidgone.com>
> Content-Type: text/plain; charset="UTF-8"
>
>
>> What happens is that the hackers use the uploads directory
>> (with 777 permissions) to upload php files, and then it seems  
>> these php
>> files can be used to access other parts of the filesystem (if I
> understood
> <...snip...>
>> If a directory has 777 permissions, is there anything to stop someone
>> putting an arbitrary file there??
> Not sure why you have directories set to 777; my uploads and wiki.d
> directories are all 775; most other directories are 755. Not sure  
> why some
> are 775 -- I suspect they could be changed to 755. Either way,  
> don't set
> anything to 777.
>
>  ~ ~ Dave
>
>
>
> ------------------------------
>
> Message: 7
> Date: Mon, 22 Dec 2008 13:45:52 -0200
> From: Guillermo Calderon - INCO <calderon at fing.edu.uy>
> Subject: [pmwiki-users] question about Cookbook/SwitchToSSLMode
> To: pmwiki-users at pmichaud.com
> Message-ID: <giocng$pgv$1 at ger.gmane.org>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>
> Hi all;
> I was reading the page Cookbook/SwitchToSSLMode.
> There, a complex solution is described in order to "only actions where
> passwords are likely to be passed are sent via SSL"
>
> However, "The example assumes there are not read-protected pages,  
> since
> any 'read' passwords entered to view a page would be sent via a non- 
> SSL
> connection"
>
> It sounds too restricted since (almost) every wiki has some
> read-protected pages and groups.
>
> I have implemented a very simple solution where only passwords are  
> sent
>    via SSL and the other posts are sent via http.
> In config.php:
>
> SDVA($InputTags['auth_form'], array(
>     ':html' => "<form
>          action='https://{$_SERVER['HTTP_HOST']}{$_SERVER 
> ['REQUEST_URI']}'
>          method='post'
>          name='authform'>\$PostVars"));
>
> This way the action field of the auth-form sends  all the information
> via https.
>
> My question:  does this solution really work?
> (I think so, by I would like to be sure)
>
> Guillermo
>
>
>
>
> ------------------------------
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>
>
> End of pmwiki-users Digest, Vol 42, Issue 19
> ********************************************

More information about the pmwiki-users mailing list