version=pmwiki-2.2.4 ordered=1 urlencoded=1
agent=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.195.6 Safari/532.0
author=simon
charset=ISO-8859-1
csum=use DeObMail
host=203.97.214.12
name=PmWiki.Security
rev=80
targets=PmWiki.Passwords,PmWiki.PasswordsAdmin,PmWiki.UrlApprovals,PmWiki.AnalyzeResults,PmWiki.Blocklist,PmWiki.Notify,PmWiki.SecurityVariables,PmWiki.DeletingPages,PmWiki.AvailableActions,Site.AuthForm,Profiles.HomePage,PmWiki.Drafts,PmWiki.Uploads,PmWiki.UploadsAdmin
text=(:Summary: Resources for securing your PmWiki installation:)%0aAspects of PmWiki security are found on the following pages:%0a%0aPages distributed in a PmWiki release:%0a* [[PmWiki/Passwords]] {PmWiki/Passwords$:Summary}%0a* [[PmWiki/Passwords Admin]] {PmWiki/PasswordsAdmin$:Summary}%0a* [[PmWiki/Url Approvals]] {PmWiki/UrlApprovals$:Summary}%0a* [[(PmWiki:)Site Analyzer]] {PmWiki/SiteAnalyzer$:Summary}%0a* [[PmWiki/Blocklist]] {PmWiki/Blocklist$:Summary}%0a* [[PmWiki/Notify]] {PmWiki/Notify$:Summary}%0a* [[PmWiki/Security variables]] {PmWiki/SecurityVariables$:Summary}%0a%0a[[Cookbook(:/)]] Pages%0a%0a* [[Cookbook:Cookbook#Security | Cookbook index for Security recipes]]%0a* [[Cookbook:Secure attachments]] Protecting uploaded attachments%0a* [[Cookbook:Web server security]] Making the server more secure with .htaccess%0a* [[Cookbook:Farm security]] Making Farm installations secure%0a* [[Cookbook:DeObMail]] Hide e-mail address%0a* [[Cookbook:Protect email]] Obfusticate email addresses%0a* [[Cookbook:Audit images]] Check to see what images have been uploaded to your wiki.%0a* [[Cookbook:Private groups]] Create and secure private groups on a public wiki%0a* [[Cookbook:Only one login]] Only allow 1 login at the same time for a username%0a* [[Cookbook:Session guard]] Protects against Session Theft%0a%0a%0a>>faq%3c%3c [[#faq]]%0a%0aQ: How do I report a possible security vulnerability of PmWiki?%0a%0aA: [[http://www.pmichaud.com|Pm]] wrote about this in [[http://pmichaud.com/pipermail/pmwiki-users/2006-September/031793.html | a post to pmwiki-users from September 2006]]. In a nutshell he differentiates two cases:%0a## The possible vulnerability isn't already known publicly: In this case please contact Pm by private mail.%0a## The possible vulnerability is already known publicly: In this case feel free to discuss the vulnerability in public (e.g. on [[http://www.pmichaud.com/mailman/listinfo/pmwiki-users | pmwiki-users]]).%0aSee [[http://pmichaud.com/pipermail/pmwiki-users/2006-September/031793.html | his post mentioned above]] for details and rationals.%0a%0aQ: What about the botnet security advisory at %25newwin%25[[http://isc.sans.org/diary.php?storyid=1672]]?%0a%0aA: Sites that are running with PHP's ''register_globals'' setting set to "On" and versions of PmWiki prior to 2.1.21 may be vulnerable to a botnet exploit that is taking advantage of a bug in PHP.  The vulnerability can be closed by turning ''register_globals'' off, upgrading to PmWiki 2.1.21 or later, or upgrading to PHP versions 4.4.3 or 5.1.4.  [[%3c%3c]]In addition, there is a test at [[PmWiki:SiteAnalyzer]] that can be used to determine if your site is vulnerable.%0a%0a[[#wikivandalism]]%0a!! Wiki Vandalism%0a:Assumptions: you are using a [[PmWiki/Blocklist]] and [[PmWiki/Url approvals]].%0a: :You don't want to resort to [[PmWiki/password(s)]] protecting the entire wiki, that's not the point after all.%0a: :Ideally these protections will be invoked in @@config.php@@%0a%0a%0aQ: How do I stop pages being [[PmWiki/DeletingPages|deleted]], eg password protect a page from deletion?%0aA: Use Cookbook:DeleteAction and password protect the page deletion [[(available) action(s)]] by adding [@$DefaultPasswords['delete'] = '*';@] to @@config.php@@ or password protect the action with @@$HandleAuth['delete'] = 'edit';@@%0a->or @@$HandleAuth['delete'] = 'admin';@@ to require the edit or admin password respectively.%0a%0aQ: How do I stop pages being replaced with an empty (all spaces) page?%0aA: Add [@block: /^\s*$/@] to your [[PmWiki/blocklist]].%0a%0aQ: how do I stop pages being completely replaced by an inane comment such as ''excellent site'', ''great information'', where the content cannot be blocked?%0aA: Try using the newer [[PmWiki/Blocklist#automaticblocklists | automatic blocklists]] that pull information and IP addresses about known wiki defacers.%0a%0aA: (OR) Try using [[Cookbook:Captchas]] or [[Cookbook:Captcha]] (note these are different).%0a%0aA: (OR) Set an edit password, but make it publicly available on the [[{$SiteGroup}.AuthForm]] template.%0a%0aQ: How do I password protect all common pages in all groups such as recent changes, search, group header, group footer, and so on?%0aA: Insert the following lines into your local/config.php file. Editing these pages then requires the admin password.%0a->[@%0a## Require admin password to edit RecentChanges (etc.) pages.%0aif ($action=='edit'%0a    && preg_match('/\\.(Search|Group(Header|Footer)|(All)?RecentChanges)$/', $pagename))%0a  { $DefaultPasswords['edit'] = crypt('secret&nbsp;phrase'); }%0a@]%0a%0aNote that all GroupAttributes pages are protected by the attr password.%0a%0a'''Alternative:''' you can require 'admin' authentication for these pages:%0a->[@%0a## Require admin password to edit RecentChanges (etc.) pages.%0aif ($action=='edit' %0a    && preg_match('(Search|Group(Header|Footer)|(All)?RecentChanges)', $pagename))%0a  { $HandleAuth['edit'] = 'admin'; }%0a@]%0a%0aQ: How do I password protect the creation of new groups?%0aA: See [[Cookbook:Limit Wiki Groups]] {Cookbook.LimitWikiGroups$:Summary}%0a%0aQ: How do I password protect the creation of new pages?%0aA: See [[Cookbook:Limit new pages in Wiki Groups]] {Cookbook.LimitNewPagesInWikiGroups$:Summary}%0a%0aQ: How do I take a whitelist approach where users from known or trusted IP addresses can edit, and others require a password?%0aA: Put these lines to local/config.php:%0a[@%0a## Allow passwordless editing from own turf, pass for others.%0aif ($action=='edit'%0a && !preg_match("^90.68.", $_SERVER['REMOTE_ADDR']) )    %0a { $DefaultPasswords['edit'] = crypt('foobar'); }%0a@]%0aReplace 90.68. with the preferred network prefix and foobar with the default password for others.%0a%0aQ: How do I password protect [[PmWiki/AvailableActions|page actions]]?%0aA: See [[PmWiki/Passwords]] for setting in config.php  %0a-> @@$HandleAuth['[==]''pageactionname''[==]'] = 'pageactionname'; # along with :@@%0a-> @@$DefaultPasswords['[==]''pageactionname''[==]'] = crypt('secret&nbsp;phrase');@@%0aA: or %0a-> @@$HandleAuth['[==]''pageactionname''[==]'] = 'anotherpageactionname';@@%0a%0aQ: How to make a rule that allows only authors to edit their own wiki page in [[Profiles]] group?%0aA: Add this to your ''local/config.php''%0a%0a->@@$name = PageVar($pagename, '$Name');@@%0a->@@$group = PageVar($pagename, '$Group');@@%0a->@@if($group=='Profiles') $DefaultPasswords['edit'] = 'id:'.$name;@@%0a%0aQ: How do I moderate all postings?%0aA: Enable [[PmWiki.Drafts]]%0a* Set $EnableDrafts, this relabels the "Save" button to "Publish" and a "Save draft" button appears. %0a* Set $EnablePublish, this adds a new "publish" authorization level to distinguish editing from publishing.%0a%0aQ: How do I make a read only wiki?%0aA: In config.php [[PmWiki/PasswordsAdmin | set]] an "edit" password.%0a%0aQ: How do I restrict access to [[PmWiki/Uploads|uploaded attachments]]?%0aA: See%0a* [[PmWiki/UploadsAdmin#direct_download|instructions]] for denying  public access to the uploads directory%0a* see [[Cookbook:Secure attachments]] {Cookbook.SecureAttachments$:Summary}%0a%0a%0a%0a
time=1250929240