From: Carsten K. <car...@us...> - 2004-12-07 01:41:45
|
A possible security issue with PhpWiki, please see what you can do to help. Many thanks, Carsten Klapp On Dec 6, 2004, at 6:03 am, Santtu Jarvi wrote: > Dear Carsten Klapp, > > I tried the phpWiki but noticed that I was able to load files > with an anonymous account. With this function I was able to > load critical files into the wiki for everyone to see. > > I noticed this on my own webserver and thought that it was > only some misconfiguration somewhere.. but it can be done > even at the phpWiki that is on display at sourceforge. > > Simply loading 'config/config.ini' from the load local file function > in the administration panel gives you access to the config.ini > file with all server configuration and admin password. All this > can be done with a normal anonymous account. > > I didn't expect this kind of thing to work but it worked at the > test site. It would be better to delete the page from there at > once. > > Respectfully, > Santtu Jarvi Hi Santtu, I am forwarding your message to the phpwiki-talk mailing list, someone there should be able to help. Although I periodically monitor the phpwiki-talk list I have not had time to work on PhpWiki in almost a year, so I am not versed at all with the current code-base (i.e. There were not even any .ini files last time I worked on PhpWiki). Thanks for reporting your problem, I have confidence in those who are currently working on PhpWiki. :) In the future you are better off sending an email to the phpwiki-talk mailing list for assistance rather than contacting one of developers directly. :) http://sourceforge.net/mail/?group_id=6121 Best of luck, Carsten |