[Pmwiki-users] Wiki Article in IX
Wed Mar 31 05:21:03 CST 2004
On Wed, Mar 31, 2004 at 01:43:55AM +0200, Nils Knappmeier wrote:
> Ok, now that I found somebody who reads this paper on a regular basis,
> I've done some translating. I hope no one has done that yet...
> It's on http://www.pmichaud.com/wiki/PmWiki/Articles
Some things in this article scare me:
* The assumption that using a (presumably MySQL) database on a
virtual shared server is any safer than storing data in files. Let's
put it this way: Shared servers offer virtually no security against
other accounts on the same server when you run anything under the
Apache uid (which includes PHP and most normal CGI scripts).
* The suggestion to use PHP as CGI as a safety measure, presumably
using some kind of setuid mechanism (for those who don't know, the CGI
version derives several critical pieces of information, including the
script that is to be executed, from environment variables, which are
about the easiest thing in the world to manipulate). While I'm using
the CGI version of PHP in such an environment myself, I made sure to
only call it via a wrapper script that sets all critical environment
variables to hardcoded values.
* I'm not sure where the article gets the idea that PmWiki allows
write access to PHP scripts, to be honest, except for a few
brief moments during installation.
More information about the pmwiki-users