From: Harold H. <ha...@ha...> - 2021-07-19 03:47:36
|
> >> >>> Hi Harold, >>> >>> Unfortunately, I have never tested Phpwiki with DATABASE_TYPE: file >>> I have only tested with an SQL database. >>> I will need some time to test your issue. >>> >>> Best regards, >>> >>> Marc-Etienne >> >> THANKS! I wish I was better at reading the code in this complex >> application. So, there are two issues: >> >> 1. How to authorize users when authorization file method. >> >> 2. Using flat file for page data, how to avoid the creation of new files >> when someone tries to access a page that does not exist. >> >> THANKS! >> >> Harold >> http://bh.hallikainen.org/wiki/ >> > > I get a daily report of new files on the server. Here's a typical file > created by someone trying to access a nonexistent wiki page: > > page_data/Historic+Papers%27%2F%2A%2A%2Fand%28select%271%27from%2F%2A%2A%2Fpg_sleep%283%29%29%270 > > Someone is clearly trying to hack the database. It would be nice if > attempts to access nonexistent pages did not generate a page file. > > THANKS! > > Harold > Following up on this, I have a couple solutions. To get rid of the files for pages that do not exist, I create a zip dump of the wiki, move the wiki page files somewhere else as a backup, do a restore from the dump. If all looks good, the moved page files are deleted. I have not dug extensively into the code, but I understand that page access data is saved in the wiki page file. If someone tries to access a page that does not exist (typically trying to send a command to get /etc/passwd), a file is created with that page name to record the access even though the page does not exist. I might dig into the code a bit to see if I can make an access not create a file. Second, on using file authentication, after grepping around a bit, I found in config.ini ; File authentication options: ; ; File to read for authentication information. ; Popular choices are /etc/shadow and /etc/httpd/.htpasswd ; AUTH_USER_FILE = /etc/shadow AUTH_USER_FILE = /home/harold/BhWikiData/users ; above line changed 7/18/21. hh See /home/harold/BhWikiData/AddingUsers for info. You can see how I changed the AUTH_USER_FILE. I made notes in /home/harold/BhWikiData/AddingUsers to remind me how to add users: [harold@mai BhWikiData]$ cat AddingUsers User info is kept in /home/harold/BhWikiData/users. To add a user, run the command htpasswd UserName where UserName is the user to be added. You will be prompted twice for the password. hh 7/18/21 I added a test user, and IT WORKED! Hopefully this will help someone else using file authentication. Thanks! Harold -- FCC Rules Updated Daily at http://www.hallikainen.com Not sent from an iPhone. |