[pmwiki-users] Online test available for latest security vulnerability

Patrick R. Michaud pmichaud at pobox.com
Tue Sep 5 18:23:11 CDT 2006

Today I've quickly put together a system that allows wiki
administrators to easily test if their site is vulnerable to
the register_globals problem described earlier.  

The starting page is at http://www.pmwiki.org/wiki/PmWiki/Analyzer .
There are instructions on the page, but I'll give an overview of
the process here.

First, an administrator downloads the 'analyze.php' script
from that page and places it in their site's cookbook directory.  
Then, activate the script with the following statements in 

    $AnalyzeKey = 'secret';

The $AnalyzeKey is a security measure to make sure that 
unauthorized people cannot use the Analyzer tool to
find vulnerable PmWiki sites.

Next, enter the url of your PmWiki site and your analyze key
value into the form on the PmWiki.Analyzer page, and press the
submit button.

A script on pmwiki.org will then contact your site, use
the analyze.php script to get some configuration information
(and use the key to verify that it's okay to analyze the site),
test for various vulnerabilities and other issues, and then 
report back on what it finds.

At present the system mainly checks for the $FarmD register_globals
vulnerability reported earlier today, but several other 
security-related and performance recommendations will be added 
to the analyzer soon.  For the $FarmD register_globals vulnerability, 
it actually tests that the vulnerability can be exploited on the site 
(as opposed to simply analyzing the configuration).

For those who want to see what happens with a vulnerable
versus a non-vulnerable site, feel free to test the system
using the following urls and an analyze key of "quick":

   Vulnerable: http://www.pmichaud.com/sandbox/vul/pmwiki.php
   Normal:     http://www.pmwiki.org/wiki

For those who are curious, it's generally okay to leave the
analyze.php script installed on a site; the key acts as a
"password" that prevents any information from being
revealed, and even if someone manages to guess the key it
doesn't reveal anything that would be of particular use to
a malicious hacker.  (You can see this for yourself at
http://www.pmwiki.org/wiki?action=analyze&key=quick .)

Questions, comments, suggestions welcomed as always.


P.S.:  Don't worry, the http://www.pmichaud.com/sandbox/vul/pmwiki.php
url given above has been "sandboxed" such that it can be
used to demonstrate the vulnerability without exposing my
server to exploits.  :-)

More information about the pmwiki-users mailing list