[pmwiki-users] Sandbox Hack -- Public Service Announcement
sandy at onebit.ca
Sun Aug 3 09:08:30 CDT 2014
Lock down your sandboxes. Someone has discovered how to find and spam
them. Several thousand edits over a few hours, and the refresh didn't
seem to happen. It used up our server time, and the processes were still
running. (The host had to kill them manually, and reset our limits.)
It snuck past us because it was in the main pmwiki farmfield, not the
personal fields we usually use. Notify wasn't turned on for the main field.
Question: How do I lock down the sandbox? It's been a long time since I
Also, the blocklist file is very short, even though I enabled it. Ideas?
Now that they've found us, I need to pay more attention to it.
Using plain text files for the data was a great idea. No need to learn
sql. I showed my husband, who knows nothing about pmwiki, the raw
Main.Sandbox file, and he's now happily researching the ?ISP? addresses
and other links. A lot of companies have, probably unknowingly, loaned a
corner of their own sites to questionable groups.
I don't use PmWiki very much these days, but every time I do, it's like
coming home. Working with it has taught me a lot about how to design a
large, flexible program.
More information about the pmwiki-users