Q How do I report a possible security vulnerability of PmWiki?

A Pm wrote about this in a post to pmwiki-users from September 2006. In a nutshell he differentiates two cases:

1. The possible vulnerability isn’t already known publicly: In this case please contact Pm by private mail.
2. The possible vulnerability is already known publicly: In this case feel free to discuss the vulnerability in public (e.g. on pmwiki-users).

See his post mentioned above for details and rationals.

Q What about the botnet security advisory at http://isc.sans.org/diary.php?storyid=1672?

A Sites that are running with PHP’s register_globals setting set to “On” and versions of PmWiki prior to 2.1.21 may be vulnerable to a botnet exploit that is taking advantage of a bug in PHP. The vulnerability can be closed by turning register_globals off, upgrading to PmWiki 2.1.21 or later, or upgrading to PHP versions 4.4.3 or 5.1.4.
In addition, there is a test at PmWiki:SiteAnalyzer that can be used to determine if your site is vulnerable.

Wiki Vandalism and Spam

Assumptions

you are using a Blocklist and Url approvals.

Q How do I stop pages being deleted, eg password protect a page from deletion?

A Use Cookbook:DeleteAction and password protect the page deletion action by adding $DefaultPasswords['delete'] = '*'; to config.php or password protect the action with $HandleAuth[‘delete’] = ‘edit’;

Q How do I stop pages being replaced with an empty (all spaces) page?

A Add block: /^\s*$/ to your blocklist.

Q how do I stop pages being completely replaced by an inane comment such as excellent site, great information, where the content cannot be blocked?

A Try using the newer automatic blocklists that pull information and IP addresses about known wiki defacers.

A (OR) Try using Cookbook:Captchas or Cookbook:Captcha (note these are different).

A (OR) Set an edit password, but make it publicly available on the Site.AuthForm template.

Q How do I password protect the creation of new groups?

A See Cookbook:Limit Wiki Groups

Q How do I password protect the creation of new pages?

A See Cookbook:Limit new pages in Wiki Groups

Q How do I take a whitelist approach where users from known or trusted IP addresses can edit, and others require a password?

A Put these lines to local/config.php:

## Allow passwordless editing from own turf, pass for others.
if ($action=='edit'
 && !preg_match("/^90\\.68\\./", $_SERVER['REMOTE_ADDR']) )    
 { $DefaultPasswords['edit'] = crypt('foobar'); }

Replace 90.68. with the preferred network prefix and foobar with the default password for others.

Q How do I password protect page actions?

A See Passwords for setting in config.php

A or

Q How do I moderate all postings?

A Enable PmWiki.Drafts

• Set $EnableDrafts, this relabels the “Save” button to “Publish” and a “Save draft” button appears.
• Set $EnablePublishAttr, this adds a new “publish” authorization level to distinguish editing from publishing.

Q How do I make a read only wiki?

A In config.php set an “edit” password.

Q How do I restrict access to uploaded attachments?

A See

• instructions for denying public access to the uploads directory
• see Cookbook:Secure attachments