From: Reini U. <ru...@x-...> - 2004-03-08 20:12:36
|
Cédric Girard schrieb: > I have just created a wiki with 1.3.7 (group writing of a help document > for archery competition organisation). > I have a few questions about phpwiki > - is it safe to make it public on the internet? It depends on your webserver, database and php settings. we require register_globals = off. it's a wiki, but normally it's safe. > Have you tested sql injection, We use adodb and peardb quoting of database args, so I would consider it safe enough. We didn't test it enough for the plain file backends: CVS and file. But as admin you can define malicious sql statements for $DBAuthParams in index.php, which could cause harm. allow_url_fopen should be turned off to disable index.php overrides. > cross-site scripting? GET and POST args are not treated specially, besides fix_magic_quotes_gpc and the fix_multipart_form_data upload vulneribility for older php's. So you might try to pass javascript or other malicous args to PhpWiki, but normally every arg or page content is escaped via htmlentities() before printing, besides template content. See HTML::raw and the RawHtml plugin for exceptions. However, one could easily abuse PhpWiki by saving or changing pages with custom scripts. We have no fancy robot blocker or abuse checker as in ward's c2 wiki, since there was no need for it yet. I wrote a short one some years ago, but never needed it after fixing our robot and google-friendly meta headers. > - if not, what can I do to make it safer? Write a robot blocker and abuse checker. Store ip and current time in the session and block for 20 minutes if client connects too often. (> 5/sec) See http://phpwiki.sourceforge.net/phpwiki/HowToBlockRobots for my analysis some years ago. most external links to my scripts are gone. > - do you need help: php, french translations Yes, we would need some updates for the french translation. See locale/po/fr.po and locale/fr/pgsrc/ There are a lot of fuzzy and empty strings, and not yet translated new pages. -- Reini Urban http://xarch.tu-graz.ac.at/home/rurban/ |