[pmwiki-users] PmWiki at sourceforge, can it be secured?

Olle ollebe at student.chalmers.se
Sat Mar 7 16:32:01 CST 2009


On Saturday 07 March 2009 23.13.57 Christian Ridderström wrote:
> Hi,
>
> For the benefit of the LyX project, I and Bo are looking at using
> sourceforge to run the LyX wiki (well, actually the web site).
>
> At sourceforge, we have to store the wiki pages under a 'persistent'
> directory. Now, while setting up a test site, I checked and noticed the
> following unfortunate behaviour.
>
> * It's possible for one project, 'A', to run a PHP-script that can
>    write to the persistent directory of project 'B'.
>
> Ooops.
>

Omg. I'm surprised, SourceForge should know better. 
;-( 
I suggest that you report this to someone at SF.net ASAP. 

> Does anyone know of a workaround for this?
>

I don't. 

> Is using MySql for storing the pages the a solution? Will that be safe?
>

Probably not, as you would have to store the MySQL password somewhere. If you 
stored the password in a PHP script or a .htaccess, the other project could 
probably read it through a script and save it in that project. 

> /Christian


/Olle Bergkvist




More information about the pmwiki-users mailing list