[pmwiki-users] Infected Cookbook Recipes?

Hans design5 at softflow.co.uk
Mon Sep 22 02:49:35 CDT 2008


Monday, September 22, 2008, 12:15:22 AM, Neil Herber (nospam) wrote:

> I suppose authors could post an MD5 hash of the cookbook item, but in an
> area strictly under their control, otherwise the cracker would just
> upload a new MD5 along with the malicious script.

> For example, Hans could post the MD5 hashes on his website for the
> cookbook entries he has on the PmWiki site.

> However, any such scheme means more work for the authors.

Exactly. And since I am mentioned, I would not like this extra work.
If I am required/requested to create MD5 hashes and upload these to
my own website, I would rather upload the scripts just there, and not
on pmwiki.org, since I have full control who may upload on my site.
But I always preferred to support pmwiki.org's cookbook.

I know I can maintain a cookbook page and have the download link
pointing to my own site. This may be quite a good solution, for me,
at any rate, and for others with own sites, if a need to tighter file
security is really required.

Alternatively uploads on pmwiki.org could be on a per page basis, and
the cookbook page maintainer could set an upload password for the
page. But this may well evoke far too much maintenance work for Patrick.

One other not foolproof way for someone worried about file integrity
may be to check the file upload date against the version date as
stated on the cookbook page.

A page listing the recent file uploads in the cookbook group
may be useful too. If uploads are done on a per page basis, perhaps one
could set a notification on new file uploads to the page similar to
notifications on changes to a page. I know PmWiki has not got the
mechanism for this, but it may be a useful addition.


  ~Hans




More information about the pmwiki-users mailing list