[Pmwiki-users] Easily Hackable?

Greg Morgan Cybie
Wed Mar 31 20:47:44 CST 2004 

KC Patrick wrote:

> I had a non-profit client reject my proposal for implementing a wiki 
> because they heard wikis are "hackable" and are concerned because an 
> affiliate had porn and other stuff put onto their site.
>  
> So, besides "the usual lecture" about security (in the documentation), 
> what are the experiences of more learn-ed PmWiki-ers here on security 
> issues and what should I communicate to future clients about security 
> and PmWiki?
>  
> Thanks,
>  
> kcpatrick
> ------------------------------------------------------------------------
> Do you Yahoo!?
> *Yahoo! Finance Tax Center* <http://taxes.yahoo.com/filing.html> - 
> File online. File on time. 

Well... unless you put a write password on all the pages Wikis are 
pretty insecure, in that anyone can edit them.  So if your client is 
looking to create a publicly viewable page that can only be edit by 
their staff, then a wiki might not be the way to go.  Unless you use a 
Wiki that has user based authentication that's going to be an 
unavoidable problem.
PmWiki has per-group and per-page passwords that can be set, but that 
has three big draw backs.

   1. If the admin decides to change the password to a group or page, he
      has to distribute that password to everyone who needs it.
   2. Passwords are sent to the server in plaintext.  This could be
      helped somewhat if https were used in posting the authentication
      form.  But as it stands now, even if passwords are used they're
      pretty easy to sniff.  (note: this is something that isn't a wiki
      specific problem and could be pretty easily fixed)
   3. There's no relation between the password used and the Author of a
      given page. (i.e. It would be pretty easy to make a change to a
      page and for the Author put in your name of Pm's.  Unless you were
      familiar with what IP address Pm posts from, you wouldn't be able
      to tell)

So to make PmWiki more secure we need user based authentication, 
preferable with the option to have the login form post using HTTPS.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://contra.vosn.net/pipermail/pmwiki-users_pmichaud.com/attachments/20040331/b85f9a2d/attachment-0001.htm

More information about the pmwiki-users mailing list