Re: [Phpwiki-talk] Something very weird has happened to my Wiki

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Sat, 12 Jan 2002 01:31:59 +0000
"Steven Murdoch" <st...@mu...> wrote:

> Do you think it would be worthwhile to send out a "security
announcement" > or similar covering this feature?

I think you just announced it. :-)

A public wiki is a public wiki.  By definition, anyone is allowed to edit
it.  An attacker could write a fairly trivial script which would overwrite
every page in your wiki (repeatedly).  The only real defense against this
is good backups.

(Furthermore, 1.3 is really, truly still alpha code --- even more reason
for backups.) 

I make daily backups of my wikis, and suggest that everyone who runs a
wiki with anything important on it should do the same.  I suppose we
should add a note in the README.

On the other hand, this certainly is a bug, and it does provide an
entirely too easy way to trash a wiki.

Lawrence's suggestion of implementing an "undo" function which would undo
all recent edits from a particular host would help in this situation.

Your fix of removing all but HomePage from pgsrc is a good one.
Alternatively, to get the same effect without deleting files: (after the
wiki is initialized) one can edit index.php as set PGSRC to
"pgsrc/HomePage".

> Also does anyone know how 1.2 will respond to this type of action?

I think 1.2 is safe.  (Blank pages are not treated as "deleted" in 1.2.)