[pmwiki-devel] The (In)Security of IncludeUpload

Kathryn Andersen kat_lists at katspace.homelinux.org
Tue May 1 21:33:02 CDT 2007

Hi folks!

Having just mentioned the insecurity of my IncludeUpload recipe, I'd
appreciate some help in actually making it secure.  It's secure enough
if one can trust the people who have edit permission, but if it's an
open wiki, it is Bad News.

There are a few issues I'm aware of:

1. the command to do text-to-html conversion is a `command`, which
isn't secure, since someone could pass in arguments which would turn
it into `command arg;rm -rf /*` or the like.  With Perl, there are
things like taint.  I don't know what the equivalent is in PHP.

2. Files stored in pmwiki/uploads are not checked to see whether
the user has read permission on them.  I'm not sure how one
actually defines "read permission" for uploaded files, since
PmWiki puts permissions on wiki pages, and it isn't clear how one
would determine to which page a particular uploaded file "belongs",
in order to see if the user is allowed to read the uploaded file.
Presumably PmWiki does some sort of check when secure uploads are turned
on, but I don't know how or where that's done.

3. Files stored under $DOCUMENT_ROOT do not check Apache permissions,
they just go straight to the filesystem, which means that if the
file is readable by Apache, then it's readable by anyone.
I don't know how to check for this.

Any suggestions?

Kathryn Andersen
 _--_|\     | Kathryn Andersen	<http://www.katspace.com>
/      \    | 
\_.--.*/    | GenFicCrit mailing list <http://www.katspace.com/gen_fic_crit/>
      v     | 
------------| Melbourne -> Victoria -> Australia -> Southern Hemisphere
Maranatha!  |	-> Earth -> Sol -> Milky Way Galaxy -> Universe

More information about the pmwiki-devel mailing list