[dokuwiki] Re: HTML header, generator and keywords

  • From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
  • To: dokuwiki@xxxxxxxxxxxxx
  • Date: Sun, 8 Apr 2007 00:49:11 +0200

On Sat, 07 Apr 2007 20:31:45 +0200
Sebastian Pipping <webmaster@xxxxxxxxxxxx> wrote:

> No! I didn't say removing the version info
> would make DokuWiki secure. All I'm saying
> is that this info increases the risc of an
> attack. Imagine someone with knowledge
> of a security whole in version 123: This
> person could search the web for installations
> of this specific version which he would not
> tried to attack otherwise.

He could also simply attack *all* DokuWikis. It wouldn't matter much.

> Btw did you know searching for "DokuWiki Installer"
> will point you too people who forgot deleting
> install.php? If one of these people would not
> have installed DokuWiki (say he saved it for
> later) an attacker could install it on his
> own, activate PHP code in config and execute
> what ever PHP is allowed to.

The installer stops working when a local config file exists or the
hash of the dokuwiki.conf.php file does not match. It's recommended to
delete this file but it won't be a real security risc if it is
forgotten. If someone does not run the installer after installing
DokuWiki well that's human error we cannot fix.



Other related posts: