phpwiki-talk

[Phpwiki-talk] Re: PhpWiki- passwords in backup files

[Steve W. <sw...@pa...>]

Hi Eric!

Thanks for reminding us... and I never thought of looking for file.php~
files! What will users think of next?

We discovered this problem a few months ago and it's been on the task list
for a while... but in general there's no good solution so far.

http://sourceforge.net/pm/task.php?group_project_id=7691&group_id=6121&func=browse

I think .htaccess files are going to be the best route. The one thing we
can't protect against though is a malicious local user. That would require
the PhpWiki files to be owned and readable by the web server user only, I
suppose, or put yourself and the server user in a group... we haven't
discussed this on the list in some time.

~swain

p.s. sorry for the delay in replying, I was in Florida for a week.

On Mon, 23 Apr 2001, Eric Zager wrote:

> First let me say that I'm very impressed with PhpWiki and Wikis in
> general.  I haven't used them very much yet, but it was astonishingly easy
> to set up PhpWiki and get it going.
>
> Maybe the following is an obvious danger, but in case no one's pointed it
> out-- the file lib/config.php has plaintext authentication info for the
> database.  In principle, a web user could get that info by just typing the
> URL for lib/config.php directly.  From the little experimenting I've done,
> that doesn't actually present a problem because the PHP engine tries to
> process that script.  But many editors create backup files,
> lib/config.php~ for emacs.  If you type the URL for the backup file, the
> PHP engine is not invoked and the user can see the backup file.
>
> You can get to the backup file at Sourceforge this way, but it looks like
> it's just the default without any sensitive info (until someone edits the
> file a second time).
>
> I'm not sure what the best solution is.  I'm not a big PHP person, I've
> only tinkered a little.  One idea is to add a .htaccess file that denies
> access to the most common backup files.
>
> Maybe there's no general solution, but a warning to the admin might be
> a good idea.
>
>
> - Eric
>

---
                  http://www.panix.com/~swain/
"Without music to decorate it, time is just a bunch of boring
production deadlines or dates by which bills must be paid."
                     -- Frank Zappa

Re: [Phpwiki-talk] Re: PhpWiki- passwords in backup files

[Adam S. <la...@sp...>]

> We discovered this problem a few months ago and it's been on the task
> list for a while... but in general there's no good solution so far. I
> think .htaccess files are going to be the best route.

why not include a default .htaccess file in the right place, protecting
the right things.  the biggest problem i see is that not all isp's provide
the ability to change things via .htaccess files, and some change the name
of the file used to do this.

> The one thing we can't protect against though is a malicious local
> user. That would require the PhpWiki files to be owned and readable by
> the web server user only, I suppose, or put yourself and the server
> user in a group... we haven't discussed this on the list in some time.

you can protect against this.  the best way to do this is to create the
root phpwiki directory with permissions 2770 and give group write to all
files/dirs below it.  now make the web server user own everything and
create a group that people must belong to in order to manually modify
files.  ideally all data and config files should be outside of the
document root as well.

we used to do this at the last isp i worked at to protect or document root
on our netapps.  so long as no one fat fingers a chmod/chown it works
great. :)

adam.