[pmwiki-users] Wiki security for ecommerce recipe
marcus
prima at wordit.com
Sun Apr 20 17:12:25 CDT 2008
I have been working on the security issues involved with using an
ecommerce solution in pmwiki. Peter and I have been discussing these
before completing the recipe, which I see as doable otherwise.
Here are the three vulnerable areas I can recognise, and below are
suggested solutions.Comments would be appreciated. This involves storage
data files only. Files which store visitor adresses and phone numbers
while orders are being processed. Only these files, which could be using
CSV to store info used by the online shop.
1) Wiki pages
2) Server intrusion/crack
3) Interception between server and browser
-------------------------------
Solutions:
1) Provide a way that scripts can read/write to pages for data storage,
but pmwiki will not display them. This could be achieved in a similar
way that the Draft feature handles filenames (notice pmwiki will not
display the Draft files directly because they contain a comma), or we
could use Group.Page.Data. pmwiki would not display those. This is not
absolutely necessary if 2) is well implemented, but it would be another
layer of security.
2) Server-side encryption and decryption, e.g. GnuPG (gpg) or openssl
command line apps. Shared password stored in file readable only by
owner, and piped to application.
3) SSL (https://). It turns out SSL is quite low cost now. You can get
certificates for $15 per year. My host provides a dedicated IP (SSL
requirement) for $2/mo.
The only cost free alternative would be to SSL would be Javascript
encryption (also decrypted on client in browser). The problem is that JS
may be blocked by firewalls, or disabled in browsers. Many people have
programs scrutinising JS code and they may block the script. So you
cannot rely on a JS solution.
I think if a secure ecommerce solution is achieveable in pmwiki it would
make it even more popular. I've been using OSCommerce for a few years
and there's just so much bulk to that and similar applications.
Thanks for any comments, suggestions, code.
Marcus
More information about the pmwiki-users
mailing list