The response to this was swift. But I think maybe more needs be done.
[burt@sherman ~]$ curl http://wiki.cs.miami.edu/pages/bin/indexer.php #!/usr/local/bin/php Searching pages... 17 pages found.
After securing bin with .htaccess:
[burt@sherman ~]$ curl http://wiki.cs.miami.edu/pages/bin/indexer.php <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /pages/bin/indexer.php on this server.</p> </body></html>
On Sep 8, 2006, at 6:35 PM, Harry Fuecks wrote:
OK - have updated the wiki:install page with a "Step 2" on security (http://wiki.splitbrain.org/wiki:install) which links across to the wiki:security (http://wiki.splitbrain.org/wiki:security) page, where I've add a note on the bin directory.
On 9/9/06, Harry Fuecks <hfuecks@xxxxxxxxx> wrote:Probably the quickest and safest fix is simply to delete the bin
sub-directory. The scripts in there are meant for command line use and
(as far as I know) are not used by any other part of Dokuwiki - i.e.
deleting it shouldn't break you're wiki and if you don't know what
they're for, you don't need them.
Have to take my share of blame - dwpage.php is code I wrote - had never occurred to me that someone would place it publically under their document root, given it's a command line script meant for administrators only, with shell access to the server. A check at the start, using php_sapi_name() for the CLI sapi would have prevented this.
On 9/8/06, Terence J. Grant <tjgrant@xxxxxxxxxxxx> wrote:
> Hi Oliver, et al... (perhaps Andi)
> I realize there is panic mode right now, so don't see this as any kind
> of immediate request...
> I am not (and I'm sure this is the case for others) horribly confident
> beyond the .htaccess fix on how exactly to change(or check) the
> register_argc_argv, and really the configuration of php safe_mode, php
> base_opendir and things of that nature.
> So if all of this is required, Oliver, if you or someone knowledgable
> could post a wiki:tip for this, it might help...
> This is just partially due to inexperience with apache as well as not
> being able to self host.
> And again I realize this is non-finalized; some things like this might
> not be necessary-- but if they are, please keep the above in mind.
> --Terence J. Grant(tjgrant@xxxxxxxxxxxx)
> DokuWiki mailing list - more info at
-- DokuWiki mailing list - more info at http://wiki.splitbrain.org/wiki:mailinglist