Englisch:
|
PmWikiDe /
SicherheitAutoren (Fortgeschritten) und Administratoren
(deutsche Übersetzung der Seite PmWiki.Security, Stand 2008-03-18) Einzelne Aspekte zur Sicherheit von Pm Wiki sind auf den folgenden Seiten zu finden: Dokumentationsseiten:
Kochbuch-Seiten (nur auf Englisch verfügbar):
<< Uploads Administration | Dokumentations-Index | Spezielle Installation bei verschiedenen Providern >> What about the botnet security advisory at http://isc.sans.org/diary.php?storyid=1672? Sites that are running with PHP's register_globals setting set to "On" and versions of Pm Wiki prior to 2.1.21 may be vulnerable to a botnet exploit that is taking advantage of a bug in PHP. The vulnerability can be closed by turning register_globals off, upgrading to Pm Wiki 2.1.21 or later, or upgrading to PHP versions 4.4.3 or 5.1.4. Wiki Vandalism
how do I stop pages being deleted, eg password protect a page from deletion? use Cookbook:DeleteAction and password protect the page deletion action? by adding or $HandleAuth['delete'] = 'admin'; to require the edit or admin password respectively.
how do I stop pages being replaced with an empty (all spaces) page? Add how do I stop pages being completely replaced by an inane comment such as excellent site, great information, where the content cannot be blocked? Try using the newer automatic blocklists that pool information and IP addresses about known wiki defacers. or Try using Cookbook:Captchas or Cookbook:Captcha , (note these are different} or Set an edit password, but make it publicly available on the Site.AuthForm template. how do I password protect all common pages in all groups such as recent changes, search, group header, group footer, and so on? insert the following lines into your local/config.php file. Editing these pages then requires the admin password. ## Require admin password to edit RecentChanges (etc.) pages. if ($action=='edit' && preg_match('/\\.(Search|Group(Header|Footer)|(All)?RecentChanges)$/', $pagename)) { $DefaultPasswords['edit'] = crypt('secret phrase'); } Note that all Group Attributes pages are protected by the attr password. Alternative:
I think because of my clean UR Ls? setup I had to shorten the regular expression a little to make it work. furthermore I set the edit password for these pages to the admin password set in ## Require admin password to edit RecentChanges (etc.) pages. if ($action=='edit' && preg_match('(Search|Group(Header|Footer)|(All)?RecentChanges)', $pagename)) { $HandleAuth['edit'] = 'admin'; } As far as I could see in my tests this seems to work for me as expected. --Rico, 2007-02-02 how do I password protect the creation of new groups? see Cookbook:Limit Wiki Groups how do I password protect the creation of new pages? see Cookbook:Limit new pages in Wiki Groups how do I take a whitelist approach where users from known or trusted IP addresses can edit, and others require a password? Put these lines to local/config.php: ## Allow passwordless editing from own turf, pass for others. if ($action=='edit' && !preg_match("^90.68.", $_SERVER['REMOTE_ADDR']) ) { $DefaultPasswords['edit'] = crypt('foobar'); } Replace 90.68. with the preferred network prefix and foobar with the default password for others. how do I, in ? how do I password protect page actions? see Passwords for setting in config.php $DefaultPasswords['pageactionname'] = crypt('secret phrase');
or $HandleAuth['pageactionname'] = 'anotherpageactionname';
How do I only allow authors to post if they have a Profile?? Add this to your local/config.php below if(!Page Exists?('Profiles.'.$Author)&&$action=='edit')
$HandleAuth['edit'] = 'admin';
This is a possible solution, but be warned: author can't edit their wiki page in Profiles? group too.
Add How to make a rule that allows only authors to edit their own wiki page in Profiles? group? Add this to your local/config.php if($group=='Profiles') $DefaultPasswords['edit'] = 'id:'.$name;
how do I moderate all postings? Enable PmWiki.Drafts
|