(:Summary: Resources for securing your PmWiki installation:) Aspects of PmWiki security are found on the following pages: Pages distributed in a PmWiki release: * [[PmWiki/Passwords]] {PmWiki/Passwords$:Summary} * [[PmWiki/Passwords Admin]] {PmWiki/PasswordsAdmin$:Summary} * [[PmWiki/Url Approvals]] {PmWiki/UrlApprovals$:Summary} * [[(PmWiki:)Site Analyzer]] {PmWiki/SiteAnalyzer$:Summary} * [[PmWiki/Blocklist]] {PmWiki/Blocklist$:Summary} * [[PmWiki/Notify]] {PmWiki/Notify$:Summary} * [[PmWiki/Security variables]] {PmWiki/SecurityVariables$:Summary} [[Cookbook(:/)]] Pages * [[Cookbook:Cookbook#Security | Cookbook index for Security recipes]] * [[Cookbook:Secure attachments]] Protecting uploaded attachments * [[Cookbook:Web server security]] Making the server more secure with .htaccess * [[Cookbook:Farm security]] Making Farm installations secure * [[Cookbook:EProtect]] Hide e-mail address * [[Cookbook:Protect email]] Obfusticate email addresses * [[Cookbook:Audit images]] Check to see what images have been uploaded to your wiki. * [[Cookbook:Private groups]] Create and secure private groups on a public wiki * [[Cookbook:Only one login]] Only allow 1 login at the same time for a username * [[Cookbook:Session guard]] Protects against Session Theft >>faq<< [[#faq]] Q: How do I report a possible security vulnerability of PmWiki? A: [[http://www.pmichaud.com|Pm]] wrote about this in [[http://pmichaud.com/pipermail/pmwiki-users/2006-September/031793.html | a post to pmwiki-users from September 2006]]. In a nutshell he differentiates two cases: ## The possible vulnerability isn't already known publicly: In this case please contact Pm by private mail. ## The possible vulnerability is already known publicly: In this case feel free to discuss the vulnerability in public (e.g. on [[http://www.pmichaud.com/mailman/listinfo/pmwiki-users | pmwiki-users]]). See [[http://pmichaud.com/pipermail/pmwiki-users/2006-September/031793.html | his post mentioned above]] for details and rationals. Q: What about the botnet security advisory at %newwin%[[http://isc.sans.org/diary.php?storyid=1672]]? A: Sites that are running with PHP's ''register_globals'' setting set to "On" and versions of PmWiki prior to 2.1.21 may be vulnerable to a botnet exploit that is taking advantage of a bug in PHP. The vulnerability can be closed by turning ''register_globals'' off, upgrading to PmWiki 2.1.21 or later, or upgrading to PHP versions 4.4.3 or 5.1.4. [[<<]]In addition, there is a test at [[PmWiki:SiteAnalyzer]] that can be used to determine if your site is vulnerable. [[#wikivandalism]] !! Wiki Vandalism :Assumptions: you are using a [[PmWiki/Blocklist]] and [[PmWiki/Url approvals]]. : :You don't want to resort to [[PmWiki/password(s)]] protecting the entire wiki, that's not the point after all. : :Ideally these protections will be invoked in @@config.php@@ Q: How do I stop pages being [[PmWiki/DeletingPages|deleted]], eg password protect a page from deletion? A: Use Cookbook:DeleteAction and password protect the page deletion [[(available) action(s)]] by adding [@$DefaultPasswords['delete'] = '*';@] to @@config.php@@ or password protect the action with @@$HandleAuth['delete'] = 'edit';@@ ->or @@$HandleAuth['delete'] = 'admin';@@ to require the edit or admin password respectively. Q: How do I stop pages being replaced with an empty (all spaces) page? A: Add [@block: /^\s*$/@] to your [[PmWiki/blocklist]]. Q: how do I stop pages being completely replaced by an inane comment such as ''excellent site'', ''great information'', where the content cannot be blocked? A: Try using the newer [[PmWiki/Blocklist#automaticblocklists | automatic blocklists]] that pull information and IP addresses about known wiki defacers. A: (OR) Try using [[Cookbook:Captchas]] or [[Cookbook:Captcha]] (note these are different). A: (OR) Set an edit password, but make it publicly available on the [[{$SiteGroup}.AuthForm]] template. Q: How do I password protect all common pages in all groups such as recent changes, search, group header, group footer, and so on? A: Insert the following lines into your local/config.php file. Editing these pages then requires the admin password. ->[@ ## Require admin password to edit RecentChanges (etc.) pages. if ($action=='edit' && preg_match('/\\.(Search|Group(Header|Footer)|(All)?RecentChanges)$/', $pagename)) { $DefaultPasswords['edit'] = crypt('secret phrase'); } @] Note that all GroupAttributes pages are protected by the attr password. '''Alternative:''' you can require 'admin' authentication for these pages: ->[@ ## Require admin password to edit RecentChanges (etc.) pages. if ($action=='edit' && preg_match('(Search|Group(Header|Footer)|(All)?RecentChanges)', $pagename)) { $HandleAuth['edit'] = 'admin'; } @] Q: How do I password protect the creation of new groups? A: See [[Cookbook:Limit Wiki Groups]] {Cookbook.LimitWikiGroups$:Summary} Q: How do I password protect the creation of new pages? A: See [[Cookbook:Limit new pages in Wiki Groups]] {Cookbook.LimitNewPagesInWikiGroups$:Summary} Q: How do I take a whitelist approach where users from known or trusted IP addresses can edit, and others require a password? A: Put these lines to local/config.php: [@ ## Allow passwordless editing from own turf, pass for others. if ($action=='edit' && !preg_match("^90.68.", $_SERVER['REMOTE_ADDR']) ) { $DefaultPasswords['edit'] = crypt('foobar'); } @] Replace 90.68. with the preferred network prefix and foobar with the default password for others. Q: How do I password protect [[PmWiki/AvailableActions|page actions]]? A: See [[PmWiki/Passwords]] for setting in config.php -> @@$HandleAuth['[==]''pageactionname''[==]'] = 'pageactionname'; # along with :@@ -> @@$DefaultPasswords['[==]''pageactionname''[==]'] = crypt('secret phrase');@@ A: or -> @@$HandleAuth['[==]''pageactionname''[==]'] = 'anotherpageactionname';@@ Q: How to make a rule that allows only authors to edit their own wiki page in [[Profiles]] group? A: Add this to your ''local/config.php'' ->@@$name = PageVar($pagename, '$Name');@@ ->@@$group = PageVar($pagename, '$Group');@@ ->@@if($group=='Profiles') $DefaultPasswords['edit'] = 'id:'.$name;@@ Q: How do I moderate all postings? A: Enable [[PmWiki.Drafts]] * Set $EnableDrafts, this relabels the "Save" button to "Publish" and a "Save draft" button appears. * Set $EnablePublish, this adds a new "publish" authorization level to distinguish editing from publishing. Q: How do I make a read only wiki? A: In config.php [[PmWiki/PasswordsAdmin | set]] an "edit" password. Q: How do I restrict access to [[PmWiki/Uploads|uploaded attachments]]? A: See * [[PmWiki/UploadsAdmin#direct_download|instructions]] for denying public access to the uploads directory * see [[Cookbook:Secure attachments]] {Cookbook.SecureAttachments$:Summary}