[dokuwiki] Re: how much of a risk is xmlrpc over http?

On 13/04/11 16:45, Michael Hamann wrote:
Hi,

Excerpts from andy baxter's message of 2011-04-13 09:22:37 +0200:
[...]
Could you let me know a bit more about what the risks are; for example
how much more of a risk is it to use xmlrpc over http than just to do a
standard site login over http?
The risk is basically that with every request your password is sent in
plaintext to the server - or if you are using URL parameters for the
login it might even appear in server log files. We however support also
a cookie-based approach which is used in the sync plugin, so in the sync
plugin the password is only transfered once for every sync/request you
do. If you enable XML-RPC just for your user account there shouldn't be
any additional risk. Also cookies aren't completely safe, currently all
cookies, in the future only if the remember me box is checked, are like
a login and password for your account and remain valid until you change
your password, for details have a look at:
http://bugs.dokuwiki.org/index.php?do=details&task_id=2202

So in short: If you are concerned about the data and your login data and
that somebody might intercept your connection to the server consider
using SSL (for your whole wiki, not just for XML-RPC), but there
shouldn't be any additional risk apart from the risks that exist for the
normal web interface, too - provided that you restrict XML-RPC usage to
certain users because bots could use the XML-RPC interface to easily
change large parts of the wiki.

Thanks - that's clear and really helpful :)

I'm more worried about losing data than someone else having it, so if I keep good backups and restrict xmlrpc to one user, it sounds like I should be ok.
--
DokuWiki mailing list - more info at
http://www.dokuwiki.org/mailinglist

Other related posts: