Re: [Phpwiki-talk] User Authorization and Page File Creation for non-existent pages

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

>
>>
>>> Hi Harold,
>>>
>>> Unfortunately, I have never tested Phpwiki with DATABASE_TYPE: file
>>> I have only tested with an SQL database.
>>> I will need some time to test your issue.
>>>
>>> Best regards,
>>>
>>> Marc-Etienne
>>
>> THANKS! I wish I was better at reading the code in this complex
>> application. So, there are two issues:
>>
>> 1. How to authorize users when authorization file method.
>>
>> 2. Using flat file for page data, how to avoid the creation of new files
>> when someone tries to access a page that does not exist.
>>
>> THANKS!
>>
>> Harold
>> http://bh.hallikainen.org/wiki/
>>
>
> I get a daily report of new files on the server. Here's a typical file
> created by someone trying to access a nonexistent wiki page:
>
> page_data/Historic+Papers%27%2F%2A%2A%2Fand%28select%271%27from%2F%2A%2A%2Fpg_sleep%283%29%29%270
>
> Someone is clearly trying to hack the database. It would be nice if
> attempts to access nonexistent pages did not generate a page file.
>
> THANKS!
>
> Harold
>

Following up on this, I have a couple solutions.

To get rid of the files for pages that do not exist, I create a zip dump
of the wiki, move the wiki page files somewhere else as a  backup, do a
restore from the dump. If all looks good, the moved page files are
deleted.

I have not dug extensively into the code, but I understand that page
access data is saved in the wiki page file. If someone tries to access a
page that does not exist (typically trying to send a command to get
/etc/passwd), a file is created with that page name to record the access
even though the page does not exist. I might dig into the code a bit to
see if I can make an access not create a file.

Second, on using file authentication, after grepping around a bit, I found
in config.ini

; File authentication options:
;
; File to read for authentication information.
; Popular choices are /etc/shadow and /etc/httpd/.htpasswd
; AUTH_USER_FILE = /etc/shadow
AUTH_USER_FILE = /home/harold/BhWikiData/users
; above line changed 7/18/21. hh See /home/harold/BhWikiData/AddingUsers
for info.

You can see how I changed the AUTH_USER_FILE. I made notes in
/home/harold/BhWikiData/AddingUsers to remind me how to add users:

[harold@mai BhWikiData]$ cat AddingUsers
User info is kept in /home/harold/BhWikiData/users.

To add a user, run the command

htpasswd UserName

where UserName is the user to be added. You will be prompted twice for the
password.

hh
7/18/21

I added a test user, and IT WORKED! Hopefully this will help someone else
using file authentication.

Thanks!

Harold

-- 
FCC Rules Updated Daily at http://www.hallikainen.com
Not sent from an iPhone.