On Fri, 2004-01-16 at 12:34, Robert Dodier wrote:
> Hello again,
>
> I have another question about security. Have there been any known
> attacks against PhpWiki wikis? Excluding vandalism of pages. Has
> it ever happened that someone successfully obtained a database
> password and (1) really messed up the wiki -- e.g., in such a way
> that it couldn't be reloaded from an archive, or
I have not heard of this.
> (2) got access to stuff other than the wiki content?
>
2 easy ways to prevent this:
1) Run this on a web site with a user and group that is different than
the norm. Have a wikiuser and wikigroup. Put apache in the wiki
group. Then use flatfiles (gdbm). The most that can happen is the
files is trashed/removed.
2) Do that anyway, but when creating the tables create them as wikidba
and grant permissions to wikiwebuser. Never use these these users for
anything else. The most that can happen, happen to the wikiwebuser
accessible data. All the rest of your tables are owned by non-owner web
users, right? If not tell the concerned party to stop looking for
trouble, you've already found it!
> Sorry to ask so many questions -- I am trying to convince a
> skeptical third party that it's safe to run PhpWiki. Thanks for
> your help. I appreciate it very much.
Ask them what their worry is, then find it on their stuff..... If they
are non-technical, do not suffer the arguments very long, it is not
worth it. People who are paranoid, are, well paranoid.
--
Zot O'Connor
http://www.ZotConsulting.com
http://www.WhiteKnightHackers.com
|
