[dokuwiki] Re: Strange attack on the wiki

From: Chris Smith <chris@xxxxxxxxxxxxx>
To: dokuwiki@xxxxxxxxxxxxx
Date: Sat, 09 Sep 2006 10:37:34 +0100

Burton Rosenberg wrote:

The response to this was swift. But I think maybe more needs be done.
.htaccess is used in many directories (inc/lang, for instance), but not all.

Unfortunately, not all webservers recognise .htaccess files (e.g. IIS), so its a flawed solution. The ideal solution is to adjust your Dokuwiki install so only the executable scripts are below the document root, unfortunately for many hosting services this either isn't feasible or straightforward. However, if your ftp area starts below your webroot, it is possible. The instructions for doing so can be found at http://wiki.splitbrain.org/wiki:security.

For those who use webservers that don't support .htaccess files, and who use ACL to restrict read access to parts of their wiki, they must take some action to secure their restricted wiki data, otherwise http://www.mywiki.com/path/to/savedir/pages/private/namespace/hidden.txt will reveal the restricted information.

PHP files can be secured, e.g. the dokuwiki plugin files have been secured. Other php files could be given the same mechanism.

first lines ...

// must be run within dokuwiki
if (!defined('DOKU_INC')) die();


--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

Follow-Ups:
- [dokuwiki] Re: Strange attack on the wiki
  - From: John Madden

References:
- [dokuwiki] Strange attack on the wiki
  - From: Oliver Schulze L.
- [dokuwiki] Re: Strange attack on the wiki
  - From: Oliver Schulze L.
- [dokuwiki] Re: Strange attack on the wiki
  - From: Terence J. Grant
- [dokuwiki] Re: Strange attack on the wiki
  - From: Harry Fuecks
- [dokuwiki] Re: Strange attack on the wiki
  - From: Harry Fuecks
- [dokuwiki] Re: Strange attack on the wiki
  - From: Burton Rosenberg

[dokuwiki] Re: Strange attack on the wiki

Other related posts: