[Phpwiki-talk] Re: PhpWiki- passwords in backup files

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Eric!

Thanks for reminding us... and I never thought of looking for file.php~
files! What will users think of next?

We discovered this problem a few months ago and it's been on the task list
for a while... but in general there's no good solution so far.

http://sourceforge.net/pm/task.php?group_project_id=7691&group_id=6121&func=browse

I think .htaccess files are going to be the best route. The one thing we
can't protect against though is a malicious local user. That would require
the PhpWiki files to be owned and readable by the web server user only, I
suppose, or put yourself and the server user in a group... we haven't
discussed this on the list in some time.

~swain

p.s. sorry for the delay in replying, I was in Florida for a week.

On Mon, 23 Apr 2001, Eric Zager wrote:

> First let me say that I'm very impressed with PhpWiki and Wikis in
> general.  I haven't used them very much yet, but it was astonishingly easy
> to set up PhpWiki and get it going.
>
> Maybe the following is an obvious danger, but in case no one's pointed it
> out-- the file lib/config.php has plaintext authentication info for the
> database.  In principle, a web user could get that info by just typing the
> URL for lib/config.php directly.  From the little experimenting I've done,
> that doesn't actually present a problem because the PHP engine tries to
> process that script.  But many editors create backup files,
> lib/config.php~ for emacs.  If you type the URL for the backup file, the
> PHP engine is not invoked and the user can see the backup file.
>
> You can get to the backup file at Sourceforge this way, but it looks like
> it's just the default without any sensitive info (until someone edits the
> file a second time).
>
> I'm not sure what the best solution is.  I'm not a big PHP person, I've
> only tinkered a little.  One idea is to add a .htaccess file that denies
> access to the most common backup files.
>
> Maybe there's no general solution, but a warning to the admin might be
> a good idea.
>
>
> - Eric
>

---
                  http://www.panix.com/~swain/
"Without music to decorate it, time is just a bunch of boring
production deadlines or dates by which bills must be paid."
                     -- Frank Zappa