phpwiki-talk

[Phpwiki-talk] possibility of compromise of bug tracker, etc for SF projects running phpwiki

[Robert D. <rob...@ya...>]

Hello,

I'm running PhpWiki for one SF project (riso.sf.net) and I'm
trying to convince another project to adopt it. PhpWiki is great!

I've been asked whether comprise of PhpWiki could lead to
compromise of the bug tracker, download manager, project
web page, etc -- i.e., the SF resources of the project other
than PhpWiki.

I want to reassure my coworkers that there is no known avenue
or exploit by which comprising PhpWiki could lead to compromising
other resources. Does anyone know of any such mechanism?

I'd really like to restrict discussion of this question to
the vulnerability of non-PhpWiki resources; in this context,
the security of PhpWiki itself is not (at the moment) an issue.

Thanks very much for your help. I appreciate it a lot!

Robert Dodier

__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus

Re: [Phpwiki-talk] possibility of compromise of bug tracker, etc for SF projects running phpwiki

[Zot O'C. <zo...@wh...>]

On Mon, 2004-01-12 at 14:30, Robert Dodier wrote:
> Hello,

I guess the question is could phpwiki offer access to other resources.

I see a few possibilities:

1)  Access to files not available to the web interface, but available to
the web user.

2)  Access to databases via open connections and bad sql checking.

The first seems to be in the range of "any php script."

The second is nixed if the DB user the wiki uses is not the same as any
other DB user.


-- 
Zot O'Connor

http://www.ZotConsulting.com
http://www.WhiteKnightHackers.com