[Pmwiki-users] Easily Hackable?
Wed Mar 31 21:48:30 CST 2004
Do the client's wiki pages need to be publicly editable?
If not, how about having the public pages exist on a read-only version
of the wiki and the editable, read-write version behind a firewall
and/or in a password-protected directory on an SSL server?
You could use HTTP authentication by group and give people their
individual user passwords that way, correct?. How to replicate is an
implementation detail -- maybe use rsync or even mirrordir. The point
is: it should be possible / practicable to have a read only public
version and a read-write private version of the same site.
Another possibility: Could the same wiki.d directory somehow be
read-only for the public wiki and read-write for the password-protected
Greg Morgan wrote:
> KC Patrick wrote:
>> I had a non-profit client reject my proposal for implementing a wiki
>> because they heard wikis are "hackable" and are concerned because an
>> affiliate had porn and other stuff put onto their site.
>> So, besides "the usual lecture" about security (in the documentation),
>> what are the experiences of more learn-ed PmWiki-ers here on security
>> issues and what should I communicate to future clients about security
>> and PmWiki?
>> Do you Yahoo!?
>> *Yahoo! Finance Tax Center* <http://taxes.yahoo.com/filing.html> -
>> File online. File on time.
> Well... unless you put a write password on all the pages Wikis are
> pretty insecure, in that anyone can edit them. So if your client is
> looking to create a publicly viewable page that can only be edit by
> their staff, then a wiki might not be the way to go. Unless you use a
> Wiki that has user based authentication that's going to be an
> unavoidable problem.
> PmWiki has per-group and per-page passwords that can be set, but that
> has three big draw backs.
> 1. If the admin decides to change the password to a group or page, he
> has to distribute that password to everyone who needs it.
> 2. Passwords are sent to the server in plaintext. This could be
> helped somewhat if https were used in posting the authentication
> form. But as it stands now, even if passwords are used they're
> pretty easy to sniff. (note: this is something that isn't a wiki
> specific problem and could be pretty easily fixed)
> 3. There's no relation between the password used and the Author of a
> given page. (i.e. It would be pretty easy to make a change to a
> page and for the Author put in your name of Pm's. Unless you were
> familiar with what IP address Pm posts from, you wouldn't be able
> to tell)
> So to make PmWiki more secure we need user based authentication,
> preferable with the option to have the login form post using HTTPS.
More information about the pmwiki-users