[pmwiki-users] Wiki security for ecommerce recipe

marcus prima at wordit.com
Sun Apr 20 17:12:25 CDT 2008


I have been working on the security issues involved with using an 
ecommerce solution in pmwiki. Peter and I have been discussing these 
before completing the recipe, which I see as doable otherwise.

Here are the three vulnerable areas I can recognise, and below are 
suggested solutions.Comments would be appreciated. This involves storage 
data files only. Files which store visitor adresses and phone numbers 
while orders are being processed. Only these files, which could be using 
CSV to store info used by the online shop.


1) Wiki pages

2) Server intrusion/crack

3) Interception between server and browser

-------------------------------

Solutions:

1) Provide a way that scripts can read/write to pages for data storage, 
but pmwiki will not display them. This could be achieved in a similar 
way that the Draft feature handles filenames (notice pmwiki will not 
display the Draft files directly because they contain a comma), or we 
could use Group.Page.Data. pmwiki would not display those. This is not 
absolutely necessary if 2) is well implemented, but it would be another 
layer of security.


2) Server-side encryption and decryption, e.g. GnuPG (gpg) or openssl 
command line apps. Shared password stored in file readable only by 
owner, and piped to application.


3) SSL (https://). It turns out SSL is quite low cost now. You can get 
certificates for $15 per year. My host provides a dedicated IP (SSL 
requirement) for $2/mo.


The only cost free alternative would be to SSL would be Javascript 
encryption (also decrypted on client in browser). The problem is that JS 
may be blocked by firewalls, or disabled in browsers. Many people have 
programs scrutinising JS code and they may block the script. So you 
cannot rely on a JS solution.

I think if a secure ecommerce solution is achieveable in pmwiki it would 
make it even more popular. I've been using OSCommerce for a few years 
and there's just so much bulk to that and similar applications.

Thanks for any comments, suggestions, code.


Marcus





More information about the pmwiki-users mailing list