[dokuwiki] Re: Strange attack on the wiki

  • From: "Harry Fuecks" <hfuecks@xxxxxxxxx>
  • To: dokuwiki@xxxxxxxxxxxxx
  • Date: Sat, 9 Sep 2006 00:06:50 +0200

Probably the quickest and safest fix is simply to delete the bin
sub-directory. The scripts in there are meant for command line use and
(as far as I know) are not used by any other part of Dokuwiki - i.e.
deleting it shouldn't break you're wiki and if you don't know what
they're for, you don't need them.

Have to take my share of blame - dwpage.php is code I wrote - had
never occurred to me that someone would place it publically under
their document root, given it's a command line script meant for
administrators only, with shell access to the server. A check at the
start, using php_sapi_name() for the CLI sapi would have prevented
this.

On 9/8/06, Terence J. Grant <tjgrant@xxxxxxxxxxxx> wrote: 
Hi Oliver, et al... (perhaps Andi)

I realize there is panic mode right now, so don't see this as any kind
of immediate request...

I am not (and I'm sure this is the case for others) horribly confident
beyond the .htaccess fix on how exactly to change(or check) the
register_argc_argv, and really the configuration of php safe_mode, php
base_opendir and things of that nature.

So if all of this is required, Oliver, if you or someone knowledgable
could post a wiki:tip for this, it might help...

This is just partially due to inexperience with apache as well as not
being able to self host.

And again I realize this is non-finalized; some things like this might
not be necessary-- but if they are, please keep the above in mind.

--
--Terence J. Grant(tjgrant@xxxxxxxxxxxx)
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

Other related posts:

  1. Home
  2. dokuwiki
  3. Archive
  4. 09-2006