[pmwiki-users] Security breach?
a at plus1plus1plus.org
Mon Dec 22 15:00:01 CST 2008
hi, is this true?
> Either way, don't set
> anything to 777.
b/c the installation instructions for pmwiki (http://pmwiki.org/wiki/
PmWiki/Installation) say setting uploads and wiki.d to 777. should
they be 775 instead? just wondering if there's any consensus on this
before i go start twiddling, changing permissions...
> Message: 6
> Date: Mon, 22 Dec 2008 10:25:35 -0500
> From: DaveG <pmwiki at solidgone.com>
> Subject: Re: [pmwiki-users] Security breach?
> To: jamesm1415 at googlemail.com, pmwiki-users at pmichaud.com
> Message-ID: <4a708741ac82d970e15efebd74de3dd0 at solidgone.com>
> Content-Type: text/plain; charset="UTF-8"
>> What happens is that the hackers use the uploads directory
>> (with 777 permissions) to upload php files, and then it seems
>> these php
>> files can be used to access other parts of the filesystem (if I
>> If a directory has 777 permissions, is there anything to stop someone
>> putting an arbitrary file there??
> Not sure why you have directories set to 777; my uploads and wiki.d
> directories are all 775; most other directories are 755. Not sure
> why some
> are 775 -- I suspect they could be changed to 755. Either way,
> don't set
> anything to 777.
> ~ ~ Dave
> Message: 7
> Date: Mon, 22 Dec 2008 13:45:52 -0200
> From: Guillermo Calderon - INCO <calderon at fing.edu.uy>
> Subject: [pmwiki-users] question about Cookbook/SwitchToSSLMode
> To: pmwiki-users at pmichaud.com
> Message-ID: <giocng$pgv$1 at ger.gmane.org>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Hi all;
> I was reading the page Cookbook/SwitchToSSLMode.
> There, a complex solution is described in order to "only actions where
> passwords are likely to be passed are sent via SSL"
> However, "The example assumes there are not read-protected pages,
> any 'read' passwords entered to view a page would be sent via a non-
> It sounds too restricted since (almost) every wiki has some
> read-protected pages and groups.
> I have implemented a very simple solution where only passwords are
> via SSL and the other posts are sent via http.
> In config.php:
> SDVA($InputTags['auth_form'], array(
> ':html' => "<form
> This way the action field of the auth-form sends all the information
> via https.
> My question: does this solution really work?
> (I think so, by I would like to be sure)
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> End of pmwiki-users Digest, Vol 42, Issue 19
More information about the pmwiki-users