[pmwiki-devel] Directory structure revisited
thp at sigproc.de
thp at sigproc.de
Wed Nov 8 21:07:14 CST 2006
Hello,
recently reconfiguring my webserver, I was wondering whether it'd be
possible (and actually once considered) to separate executed pmwiki scripts
from files that are accessed by these scripts. The honouring of this
separation could be enforced by a
php_admin_value open_basedir
directive(*) in the webserver, pointing to a directory outside the
webserver docroot which will hold all files that ever be accessed (uploads,
images, config files etc).
IMHO this would greatly enhance the security of the overall pmwiki site. In
the current setup, as soon as an attacker gains the possibility to write
arbitrary content to an arbitrary file, the (pmwiki) site is compromised.
(He could replace a pmwiki script by its own malicious version, thus
executing arbitrary code.)
Contrary to this, when separating writeable webspace from executable
webspace this attck is not possible anymore. (Also uploading php scripts
for example gets non-critical.) As a result, the integrity of the site does
not depend on the correctness of each single script that is part of it.
(The worst thing that can happen is that you loose all your data. Which can
be backuped. Arbitrary code execution is not possible.)
To implement this, I wonder whether it would be possible to easily adjust
target paths for the main data directories: wiki.d, upload, pub. Also some
config files would need to be moved around appropriately in the dir structure.
As I don't expect anyone to be keen on altering the dir structure, this
mail's purpose is mainly to put up the reasoning at all - for possible
future consideration.
Any flaws? Or any other comments to it?
Thomas
-----
(*) Or, in lieu of the latest open_basedir vulnerability, by an equivalent
OS based mechanism.
More information about the pmwiki-devel
mailing list