Recent Changes - Search:

PmWiki

pmwiki.org

edit SideBar

https://www.jetphotos.com/photographer/598301 https://www.jetphotos.com/photographer/598304 https://www.jetphotos.com/photographer/598305 https://www.jetphotos.com/photographer/598307 https://www.jetphotos.com/photographer/598310 https://www.jetphotos.com/photographer/598312 https://www.jetphotos.com/photographer/598317 https://www.jetphotos.com/photographer/598318 https://www.jetphotos.com/photographer/598320 https://www.jetphotos.com/photographer/598321 https://www.jetphotos.com/photographer/598322 https://www.jetphotos.com/photographer/598324 https://www.jetphotos.com/photographer/598328 https://www.jetphotos.com/photographer/598340 https://www.jetphotos.com/photographer/598341 https://www.jetphotos.com/photographer/598346 https://www.jetphotos.com/photographer/598349 https://www.jetphotos.com/photographer/598357 https://www.jetphotos.com/photographer/598366 https://www.jetphotos.com/photographer/598372 https://www.jetphotos.com/photographer/598374 https://www.jetphotos.com/photographer/598378 https://www.jetphotos.com/photographer/600028 https://www.jetphotos.com/photographer/600031 https://www.jetphotos.com/photographer/600032 https://www.jetphotos.com/photographer/600034 https://www.jetphotos.com/photographer/600036 https://www.jetphotos.com/photographer/600037 https://www.jetphotos.com/photographer/600039 https://www.jetphotos.com/photographer/600041 https://www.jetphotos.com/photographer/600042 https://www.jetphotos.com/photographer/600045 https://www.jetphotos.com/photographer/600046 https://www.jetphotos.com/photographer/600047 https://www.jetphotos.com/photographer/600048 https://www.jetphotos.com/photographer/600050 https://www.jetphotos.com/photographer/600051 https://www.jetphotos.com/photographer/600052 https://www.jetphotos.com/photographer/600053 https://www.jetphotos.com/photographer/600055 https://www.jetphotos.com/photographer/600057 https://www.jetphotos.com/photographer/600641 https://www.jetphotos.com/photographer/600644 https://www.jetphotos.com/photographer/600645 https://www.jetphotos.com/photographer/600646 https://www.jetphotos.com/photographer/602231 https://www.jetphotos.com/photographer/602240 https://www.jetphotos.com/photographer/602244 https://www.jetphotos.com/photographer/602247 https://www.jetphotos.com/photographer/602261 https://www.jetphotos.com/photographer/602265 https://www.jetphotos.com/photographer/602279 https://www.jetphotos.com/photographer/602307 https://www.jetphotos.com/photographer/602315 https://www.jetphotos.com/photographer/602323 https://www.jetphotos.com/photographer/602340 https://www.jetphotos.com/photographer/602346 https://www.jetphotos.com/photographer/602741 https://www.jetphotos.com/photographer/602743 https://www.jetphotos.com/photographer/602744 https://www.jetphotos.com/photographer/602745 https://www.jetphotos.com/photographer/602746 https://www.jetphotos.com/photographer/602748 https://www.jetphotos.com/photographer/602749 https://www.jetphotos.com/photographer/602750 https://www.jetphotos.com/photographer/602757 https://www.jetphotos.com/photographer/602758 https://www.jetphotos.com/photographer/602762 https://www.jetphotos.com/photographer/602763 https://www.jetphotos.com/photographer/602764 https://www.jetphotos.com/photographer/602769 https://www.jetphotos.com/photographer/602770 https://www.jetphotos.com/photographer/602772 https://www.jetphotos.com/photographer/602773 https://www.jetphotos.com/photographer/602774 https://www.jetphotos.com/photographer/602775 https://www.jetphotos.com/photographer/601186 https://www.jetphotos.com/photographer/601188 https://www.jetphotos.com/photographer/601189 https://www.jetphotos.com/photographer/601191 https://www.jetphotos.com/photographer/601192 https://www.jetphotos.com/photographer/601194 https://www.jetphotos.com/photographer/601196 https://www.jetphotos.com/photographer/601197 https://www.jetphotos.com/photographer/601248 https://www.jetphotos.com/photographer/601249 https://www.jetphotos.com/photographer/601250 https://www.jetphotos.com/photographer/601251 https://www.jetphotos.com/photographer/601252 https://www.jetphotos.com/photographer/601254 https://www.jetphotos.com/photographer/601255 https://www.jetphotos.com/photographer/601256 https://www.jetphotos.com/photographer/601258 https://www.jetphotos.com/photographer/601260 https://www.jetphotos.com/photographer/601261 https://www.jetphotos.com/photographer/601263 https://www.jetphotos.com/photographer/601264 https://www.jetphotos.com/photographer/601265 https://www.jetphotos.com/photographer/601266 https://www.jetphotos.com/photographer/601267 https://www.jetphotos.com/photographer/601268 https://www.jetphotos.com/photographer/601269 https://www.jetphotos.com/photographer/601270 https://www.jetphotos.com/photographer/601272 https://www.jetphotos.com/photographer/601273 https://www.jetphotos.com/photographer/602779 https://www.jetphotos.com/photographer/602780 https://www.jetphotos.com/photographer/602781 https://www.jetphotos.com/photographer/602782 https://www.jetphotos.com/photographer/600111 https://www.jetphotos.com/photographer/600112 https://www.jetphotos.com/photographer/600148 https://www.jetphotos.com/photographer/600151 https://www.jetphotos.com/photographer/600155 https://www.jetphotos.com/photographer/600157 https://www.jetphotos.com/photographer/600159 https://www.jetphotos.com/photographer/600161 https://www.jetphotos.com/photographer/600163 https://www.jetphotos.com/photographer/600647 https://www.jetphotos.com/photographer/600648 https://www.jetphotos.com/photographer/600649 https://www.jetphotos.com/photographer/600650 https://www.jetphotos.com/photographer/602889 https://www.jetphotos.com/photographer/602890 https://www.jetphotos.com/photographer/602891 https://www.jetphotos.com/photographer/602895 https://www.jetphotos.com/photographer/602897 https://www.jetphotos.com/photographer/602900 https://www.jetphotos.com/photographer/602904 https://www.jetphotos.com/photographer/602907 https://www.jetphotos.com/photographer/602913 https://www.jetphotos.com/photographer/602916 https://www.jetphotos.com/photographer/602918 https://www.jetphotos.com/photographer/602922 https://www.jetphotos.com/photographer/602923 https://www.jetphotos.com/photographer/602925 https://www.jetphotos.com/photographer/602926 https://www.jetphotos.com/photographer/600534 https://www.jetphotos.com/photographer/600535 https://www.jetphotos.com/photographer/600536 https://www.jetphotos.com/photographer/600538 https://www.jetphotos.com/photographer/600539 https://www.jetphotos.com/photographer/600540 https://www.jetphotos.com/photographer/600542 https://www.jetphotos.com/photographer/600543 https://www.jetphotos.com/photographer/600544 https://www.jetphotos.com/photographer/600547 https://www.jetphotos.com/photographer/600548 https://www.jetphotos.com/photographer/600549 https://www.jetphotos.com/photographer/600550 https://www.jetphotos.com/photographer/600552 https://www.jetphotos.com/photographer/600553 https://www.jetphotos.com/photographer/600555 https://www.jetphotos.com/photographer/600558 https://www.jetphotos.com/photographer/600565 https://www.jetphotos.com/photographer/600566 https://www.jetphotos.com/photographer/600567 https://www.jetphotos.com/photographer/600568 https://www.jetphotos.com/photographer/600571 https://www.jetphotos.com/photographer/600573 https://www.jetphotos.com/photographer/600575 https://www.jetphotos.com/photographer/600576 https://www.jetphotos.com/photographer/600577 https://www.jetphotos.com/photographer/600578 https://www.jetphotos.com/photographer/600666 https://www.jetphotos.com/photographer/600668 https://www.jetphotos.com/photographer/600669 https://www.jetphotos.com/photographer/600670 https://www.jetphotos.com/photographer/602963 https://www.jetphotos.com/photographer/601276 https://www.jetphotos.com/photographer/601280 https://www.jetphotos.com/photographer/601281 https://www.jetphotos.com/photographer/601284 https://www.jetphotos.com/photographer/601285 https://www.jetphotos.com/photographer/601286 https://www.jetphotos.com/photographer/601287 https://www.jetphotos.com/photographer/601288 https://www.jetphotos.com/photographer/601291 https://www.jetphotos.com/photographer/601293 https://www.jetphotos.com/photographer/602776 https://www.jetphotos.com/photographer/602777 https://www.jetphotos.com/photographer/602955 https://www.jetphotos.com/photographer/602956 https://www.jetphotos.com/photographer/602957 https://www.jetphotos.com/photographer/602959 https://www.jetphotos.com/photographer/602960 https://www.jetphotos.com/photographer/602961

Security

Aspects of PmWiki security are found on the following pages:

Pages distributed in a PmWiki release:

  • Page history History of previous edits to a page
  • Passwords General use of passwords and login
  • Passwords Admin More password options for the administrator
  • AuthUser Authorization system that uses usernames and passwords
  • Url Approvals Require approval of Url links
  • Site Analyzer
  • Blocklist Blocking IP addresses, phrases, and expressions to counteract spam and vandalism.
  • Notify How to receive email messages whenever pages are changed on the whole wiki site, individual groups or selected watchlists of pages
  • Security variables variables crucial for site security

Cookbook pages

How do I report a possible security vulnerability of PmWiki?

Pm wrote about this in a post to pmwiki-users from September 2006. In a nutshell he differentiates two cases:

  1. The possible vulnerability isn't already known publicly: In this case please contact us by private mail.
  2. The possible vulnerability is already known publicly: In this case feel free to discuss the vulnerability in public (e.g. on pmwiki-users or in the PITS).

See his post mentioned above for details and rationals.

What about the botnet security advisory at http://isc.sans.org/diary.php?storyid=1672?

Sites that are running with PHP's register_globals setting set to "On" and versions of PmWiki prior to 2.1.21 may be vulnerable to a botnet exploit that is taking advantage of a bug in PHP. The vulnerability can be closed by turning register_globals off, upgrading to PmWiki 2.1.21 or later, or upgrading to PHP versions 4.4.3 or 5.1.4.
In addition, there is a test at PmWiki:SiteAnalyzer that can be used to determine if your site is vulnerable.

Wiki Vandalism and Spam

Assumptions
you are using a Blocklist and Url approvals.
You don't want to resort to password protecting the entire wiki, that's not the point after all.
Ideally these protections will be invoked in config.php

How do I stop pages being deleted, eg password protect a page from deletion?

Use Cookbook:DeleteAction and password protect the page deletion action by adding $DefaultPasswords['delete'] = '*'; to config.php or password protect the action with $HandleAuth['delete'] = 'edit';

or $HandleAuth['delete'] = 'admin'; to require the edit or admin password respectively.

How do I stop pages being replaced with an empty (all spaces) page?

Add block: /^\s*$/ to your blocklist.

how do I stop pages being completely replaced by an inane comment such as excellent site, great information, where the content cannot be blocked?

Try using the newer automatic blocklists that pull information and IP addresses about known wiki defacers.

(OR) Try using Cookbook:Captchas or Cookbook:Captcha (note these are different).

(OR) Set an edit password, but make it publicly available on the Site.AuthForm template.

How do I password protect the creation of new groups?

See Cookbook:Limit Wiki Groups

How do I password protect the creation of new pages?

See Cookbook:Limit new pages in Wiki Groups

How do I take a whitelist approach where users from known or trusted IP addresses can edit, and others require a password?

Put these lines to local/config.php:

## Allow passwordless editing from own turf, pass for others.
if ($action=='edit'
 && !preg_match("/^90\\.68\\./", $_SERVER['REMOTE_ADDR']) )    
 { $DefaultPasswords['edit'] = pmcrypt('foobar'); }

Replace 90.68. with the preferred network prefix and foobar with the default password for others.

For a single IP, you may use

if($_SERVER['REMOTE_ADDR'] == '127.0.0.1') { # your IP address here
 $_POST['authpw'] = 'xxx';                  # the admin password
}

Please note the security issues : this means that you have your admin passwords in clear in config.php and someone with access to the filesystem can read them (for example a technician of your hosting provider) ; your IP address may change from time to time (unless you have a fixed IP contract with your ISP). When that happens, someone with your old IP address will be logged in automatically as admin on your wiki. It is extremely unlikely to become a problem, but you should know it is possible ; if you are behind a router, all other devices which pass through that router will have the same IP address for PmWiki - your wifi phone, your wife's netbook, a neighbour using your wifi connection, etc. All these people become admins of your wiki. Again, you should evaluate if this is a security risk ; In some cases, your ISP will route your traffic through the same proxy as other people. In such a case, thousands of people may have the same IP address.

See also Cookbook:AuthDNS & Cookbook:PersistentLogin

How do I password protect page actions?

See Passwords for setting in config.php

$HandleAuth['pageactionname'] = 'pageactionname'; # along with :
$DefaultPasswords['pageactionname'] = pmcrypt('secret phrase');

or

$HandleAuth['pageactionname'] = 'anotherpageactionname';

How do I moderate all postings?

Enable PmWiki.Drafts

  • Set $EnableDrafts, this relabels the "Save" button to "Publish" and a "Save draft" button appears.
  • Set $EnablePublishAttr, this adds a new "publish" authorization level to distinguish editing from publishing.

How do I make a read only wiki?

In config.php set an "edit" password.

How do I restrict access to uploaded attachments?

See

How do I hide the IP addresses in the "diff" pages?

If the user fills an author name, the IP address is not displayed. To require an author name, set in config.php such a line:

  $EnablePostAuthorRequired = 1;

The IP address can also be seen in a tooltip title when the mouse cursor is over the author name. To disable the tooltip, set in config.php:

$DiffStartFmt = 
  "<div class='diffbox'><div class='difftime'><a name='diff\$DiffGMT' href='#diff\$DiffGMT'>\$DiffTime</a>
   \$[by] <span class='diffauthor'>\$DiffAuthor</span> - \$DiffChangeSum</div>";

How do I stop some Apache installations executing a file which has ".php", ".pl" or ".cgi" anywhere in the filename

Use $UploadBlacklist

How do I stop random people from viewing the ?action=source (wiki markup) of my pages? I have (:if auth edit:) text that I don't want the world to see.

$HandleAuth['source'] = 'edit'; or $HandleAuth['source'] = 'admin';

How to I secure my cookies?

See $EnableCookieSecure and $EnableCookieHTTPOnly


This page may have a more recent version on pmwiki.org: PmWiki:Security, and a talk page: PmWiki:Security-Talk.

Edit - History - Print - Recent Changes - Search
Page last modified on December 02, 2018, at 05:50 AM