[pmwiki-users] EnableDiag

[Patrick R. Michaud]

On Thu, Mar 01, 2007 at 01:50:50PM -0500, Sandy wrote:
> Reading the manual, it says you should not set it for production 
> environments.
> 
> Is this really such a large security hole? What info does it give 
> malicious folks?

In general I don't think it's a large security hole.  Most if not
all of my sites run in production mode with $EnableDiag set
and as far as I know I haven't suffered any ill effects from it.

However, many people often have different perceptions of security
and want as little information as possible (either "safe" or "dangerous")
leaking from their site.  So, the general recommendation is to
run with $EnableDiag turned off unless it's needed.

$EnableDiag adds ?action=phpinfo, ?action=diag, and ?action=ruleset
to the available actions.  The kinds of information that might become
available (and that a site admin might want to restrict) include:

?action=phpinfo:  
  * The version of PHP, the operating system, and web server software
  * Settings for various PHP configuration variables (e.g., register_globals,
    allow_url_fopen, any loaded modules)
  * Environment variables and paths in use by the PHP scripts

?action=ruleset:
  * The names and sequence of any markup rules being used on the site
  * Possibly information about loaded recipes

?action=diag:  
  * All global variables in effect at the time of execution
  * Encrypted values of passwords set in $DefaultPasswords
  * All markup patterns and replacement values
  * Information about loaded recipes
  * Locations and paths of various PmWiki files on the system
  * Names and addresses stored in $AuthUser, $NotifyList, etc.
  * $AuthLDAPBindDN and $AuthLDAPBindPassword (stored as cleartext)

Note that passwords held in $DefaultPasswords and $AuthUser
are encrypted, so even if someone obtains the encrypted values
they would still need to break the encryption to learn the
actual passwords.

Hope this helps,

Pm