(:Summary: Resources for securing your PmWiki installation:) Aspects of PmWiki security are found on the following pages: Pages distributed in a PmWiki release: * [[PmWiki/Passwords]] {PmWiki/Passwords$:Summary} * [[PmWiki/Passwords Admin]] {PmWiki/PasswordsAdmin$:Summary} * [[PmWiki/AuthUser]] {PmWiki/AuthUser$:Summary} * [[PmWiki/Url Approvals]] {PmWiki/UrlApprovals$:Summary} * [[(PmWiki:)Site Analyzer]] {PmWiki/SiteAnalyzer$:Summary} * [[PmWiki/Blocklist]] {PmWiki/Blocklist$:Summary} * [[PmWiki/Notify]] {PmWiki/Notify$:Summary} * [[PmWiki/Security variables]] {PmWiki/SecurityVariables$:Summary} [[Cookbook(:/)]] Pages * [[Cookbook:Cookbook#Security | Cookbook index for Security recipes]] * [[Cookbook:HtpasswdForm]] Form based management of users and passwords using .htpasswd/.htgroup files * [[Cookbook:Secure attachments]] Protecting uploaded attachments * [[Cookbook:Web server security]] Making the server more secure with .htaccess * [[Cookbook:Farm security]] Making Farm installations secure * [[Cookbook:DeObMail]] Hide e-mail address * [[Cookbook:Protect email]] Obfusticate email addresses * [[Cookbook:Audit images]] Check to see what images have been uploaded to your wiki. * [[Cookbook:Private groups]] Create and secure private groups on a public wiki * [[Cookbook:Only one login]] Only allow 1 login at the same time for a username * [[Cookbook:Session guard]] Protects against Session Theft >>faq<< [[#faq]] Q: How do I report a possible security vulnerability of PmWiki? A: [[http://www.pmichaud.com|Pm]] wrote about this in [[http://pmichaud.com/pipermail/pmwiki-users/2006-September/031793.html | a post to pmwiki-users from September 2006]]. In a nutshell he differentiates two cases: ## The possible vulnerability isn't already known publicly: In this case please [[contact us]] by private mail. ## The possible vulnerability is already known publicly: In this case feel free to discuss the vulnerability in public (e.g. on [[http://www.pmichaud.com/mailman/listinfo/pmwiki-users | pmwiki-users]] or in the [[(PITS:)PITS]]). See [[http://pmichaud.com/pipermail/pmwiki-users/2006-September/031793.html | his post mentioned above]] for details and rationals. Q: What about the botnet security advisory at %newwin%[[http://isc.sans.org/diary.php?storyid=1672]]? A: Sites that are running with PHP's ''register_globals'' setting set to "On" and versions of PmWiki prior to 2.1.21 may be vulnerable to a botnet exploit that is taking advantage of a bug in PHP. The vulnerability can be closed by turning ''register_globals'' off, upgrading to PmWiki 2.1.21 or later, or upgrading to PHP versions 4.4.3 or 5.1.4. [[<<]]In addition, there is a test at [[PmWiki:SiteAnalyzer]] that can be used to determine if your site is vulnerable. [[#wikivandalism]] !! Wiki Vandalism and [[!Spam]] :Assumptions: you are using a [[PmWiki/Blocklist]] and [[PmWiki/Url approvals]]. : :You don't want to resort to [[PmWiki/password(s)]] protecting the entire wiki, that's not the point after all. : :Ideally these protections will be invoked in @@config.php@@ Q: How do I stop pages being [[PmWiki/DeletingPages|deleted]], eg password protect a page from deletion? A: Use Cookbook:DeleteAction and password protect the page deletion [[(available) action(s)]] by adding [@$DefaultPasswords['delete'] = '*';@] to @@config.php@@ or password protect the action with @@$HandleAuth['delete'] = 'edit';@@ ->or @@$HandleAuth['delete'] = 'admin';@@ to require the edit or admin password respectively. Q: How do I stop pages being replaced with an empty (all spaces) page? A: Add [@block: /^\s*$/@] to your [[PmWiki/blocklist]]. Q: how do I stop pages being completely replaced by an inane comment such as ''excellent site'', ''great information'', where the content cannot be blocked? A: Try using the newer [[PmWiki/Blocklist#automaticblocklists | automatic blocklists]] that pull information and IP addresses about known wiki defacers. A: (OR) Try using [[Cookbook:Captchas]] or [[Cookbook:Captcha]] (note these are different). A: (OR) Set an edit password, but make it publicly available on the [[{$SiteGroup}.AuthForm]] template. Q: How do I password protect the creation of new groups? A: See [[Cookbook:Limit Wiki Groups]] {Cookbook.LimitWikiGroups$:Summary} Q: How do I password protect the creation of new pages? A: See [[Cookbook:Limit new pages in Wiki Groups]] {Cookbook.LimitNewPagesInWikiGroups$:Summary} Q: How do I take a whitelist approach where users from known or trusted IP addresses can edit, and others require a password? A: Put these lines to local/config.php: [@ ## Allow passwordless editing from own turf, pass for others. if ($action=='edit' && !preg_match("/^90\\.68\\./", $_SERVER['REMOTE_ADDR']) ) { $DefaultPasswords['edit'] = crypt('foobar'); } @] Replace 90.68. with the preferred network prefix and foobar with the default password for others. A: See also Cookbook:AuthDNS. Q: How do I password protect [[PmWiki/AvailableActions|page actions]]? A: See [[PmWiki/Passwords]] for setting in config.php -> @@$HandleAuth['[==]''pageactionname''[==]'] = 'pageactionname'; # along with :@@ -> @@$DefaultPasswords['[==]''pageactionname''[==]'] = crypt('secret phrase');@@ A: or -> @@$HandleAuth['[==]''pageactionname''[==]'] = 'anotherpageactionname';@@ Q: How do I moderate all postings? A: Enable [[PmWiki.Drafts]] * Set $EnableDrafts, this relabels the "Save" button to "Publish" and a "Save draft" button appears. * Set $EnablePublishAttr, this adds a new "publish" authorization level to distinguish editing from publishing. Q: How do I make a read only wiki? A: In config.php [[PmWiki/PasswordsAdmin | set]] an "edit" password. Q: How do I restrict access to [[PmWiki/Uploads|uploaded attachments]]? A: See * [[PmWiki/UploadsAdmin#direct_download|instructions]] for denying public access to the uploads directory * see [[Cookbook:Secure attachments]] {Cookbook.SecureAttachments$:Summary} Q: How do I hide the IP addresses in the "diff" pages? A: If the user fills an author name, the IP address is not displayed. To require an author name, set in config.php such a line: $EnablePostAuthorRequired = 1; A: The IP address can also be seen in a tooltip title when the mouse cursor is over the author name. To disable the tooltip, set in config.php: [@ $DiffStartFmt = "
\$DiffTime \$[by] \$DiffAuthor - \$DiffChangeSum
"; @]