[pmwiki-users] index.php
Neil Herber
nospam at eton.ca
Thu Jul 21 16:43:00 CDT 2005
At 2005-07-21 02:21 PM -0700, H. Fox is rumored to have said:
>On 7/20/05, Benjamin Wilson <ameen at dausha.net> wrote:
> > The less intrusive action is to provide sample-index.php. Although,
> > having three ways of accessing pmwiki (e.g. pmwiki.php, index.php, and
> > sample-index.php) presents a greater security threat, IMO. I mean, I
> > only have one PHP script callable by the browser.
>
>Wondering: If they're are all equivalent, what security risk does it
>introduce?
>
>There's definitely risk from the renaming approach. If you forget the
>extra step of copying pmwiki.php to index.php when you upgrade you'll
>have security risk from (1) not getting the new version's security
>fixes, and (2) version mixing.
I wondered what the risk was too, and I did find one. If you have blocked
execution of pmwiki.php in the farm "field" with something like:
### --- prevent execution of PmWiki in farm field from anywhere -----
<Directory "path/to/farm/field/pmwiki">
<Files pmwiki.php>
Order allow,deny
Deny from all
</Files>
</Directory>
Then the additional index.php with an include of pmwiki.php gets around it.
Even sample-index.php presents this risk.
With either of these files in the base distribution, an upgrading admin
will silently add these work arounds.
What if pmwiki.php was renamed something like pmwiki.source and index.php
(or pmwiki.php) included it?
+ renaming pmwiki.php would no longer cause upgrade problems
+ people might be less inclined to mess with something called "source"
- requires a retrofit for existing installations
- messes up includes from fields
- makes my no-execute farm field scheme (above) fail
A better name for sample-index.php could be index.php-sample, so that it
would not execute. This assumes that the web server hasn't been set to
parse everything for PHP.
Neil
Neil Herber
Corporate info at http://www.eton.ca/
Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
Tel: (613) 829-4668
More information about the pmwiki-users
mailing list