[pmwiki-users] Security breach?

adam overton a at plus1plus1plus.org
Mon Dec 22 17:21:55 CST 2008


no, that statement pertains to the 'pmwiki' directory, not the  
directories within it (wiki.d, uploads)

i'm still confused - i used option 3b, to create 'wiki.d' and  
'uploads', which instructs me to set them to 777. it doesn't say  
anywhere to then change those directories to something else  
afterward, and so this doesn't jibe with the statement "don't set  
anything to 777". if it does, then the language on this essential  
installation page needs to be corrected, right?

?
thx!
adam


On 22 Dec 2008, at 3:08 PM, Radu Luchian wrote:

> Yes, it's true. On the page you're pointing to, you missed this text:
>
> "Important: If you used method 3b, you should reset permissions by  
> executing "chmod 755 ." in the directory containing pmwiki.php."
>
> Cheers,
> Radu
>
> On Mon, Dec 22, 2008 at 2:00 PM, adam overton  
> <a at plus1plus1plus.org> wrote:
>
> hi, is this true?
>
> > Either way, don't set
> > anything to 777.
>
>
> b/c the installation instructions for pmwiki (http://pmwiki.org/wiki/
> PmWiki/Installation) say setting uploads and wiki.d to 777. should
> they be 775 instead? just wondering if there's any consensus on this
> before i go start twiddling, changing permissions...
>
> thx
> adam
>
>
> > Message: 6
> > Date: Mon, 22 Dec 2008 10:25:35 -0500
> > From: DaveG <pmwiki at solidgone.com>
> > Subject: Re: [pmwiki-users] Security breach?
> > To: jamesm1415 at googlemail.com, pmwiki-users at pmichaud.com
> > Message-ID: <4a708741ac82d970e15efebd74de3dd0 at solidgone.com>
> > Content-Type: text/plain; charset="UTF-8"
> >
> >
> >> What happens is that the hackers use the uploads directory
> >> (with 777 permissions) to upload php files, and then it seems
> >> these php
> >> files can be used to access other parts of the filesystem (if I
> > understood
> > <...snip...>
> >> If a directory has 777 permissions, is there anything to stop  
> someone
> >> putting an arbitrary file there??
> > Not sure why you have directories set to 777; my uploads and wiki.d
> > directories are all 775; most other directories are 755. Not sure
> > why some
> > are 775 -- I suspect they could be changed to 755. Either way,
> > don't set
> > anything to 777.
> >
> >  ~ ~ Dave
> >
> >
> >
> > ------------------------------
> >
> > Message: 7
> > Date: Mon, 22 Dec 2008 13:45:52 -0200
> > From: Guillermo Calderon - INCO <calderon at fing.edu.uy>
> > Subject: [pmwiki-users] question about Cookbook/SwitchToSSLMode
> > To: pmwiki-users at pmichaud.com
> > Message-ID: <giocng$pgv$1 at ger.gmane.org>
> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> >
> >
> > Hi all;
> > I was reading the page Cookbook/SwitchToSSLMode.
> > There, a complex solution is described in order to "only actions  
> where
> > passwords are likely to be passed are sent via SSL"
> >
> > However, "The example assumes there are not read-protected pages,
> > since
> > any 'read' passwords entered to view a page would be sent via a non-
> > SSL
> > connection"
> >
> > It sounds too restricted since (almost) every wiki has some
> > read-protected pages and groups.
> >
> > I have implemented a very simple solution where only passwords are
> > sent
> >    via SSL and the other posts are sent via http.
> > In config.php:
> >
> > SDVA($InputTags['auth_form'], array(
> >     ':html' => "<form
> >          action='https://{$_SERVER['HTTP_HOST']}{$_SERVER
> > ['REQUEST_URI']}'
> >          method='post'
> >          name='authform'>\$PostVars"));
> >
> > This way the action field of the auth-form sends  all the  
> information
> > via https.
> >
> > My question:  does this solution really work?
> > (I think so, by I would like to be sure)
> >
> > Guillermo
> >
> >
> >
> >
> > ------------------------------
> >
> > _______________________________________________
> > pmwiki-users mailing list
> > pmwiki-users at pmichaud.com
> > http://www.pmichaud.com/mailman/listinfo/pmwiki-users
> >
> >
> > End of pmwiki-users Digest, Vol 42, Issue 19
> > ********************************************
>
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20081222/9ba0e7a0/attachment-0001.html 


More information about the pmwiki-users mailing list