Yes, it's true. On the page you're pointing to, you missed this text: "Important: If you used method 3b, you should reset permissions by executing "chmod 755 ." in the directory containing pmwiki.php."
Cheers, Radu On Mon, Dec 22, 2008 at 2:00 PM, adam overton <[email protected]> wrote: > > hi, is this true? > > > Either way, don't set > > anything to 777. > > > b/c the installation instructions for pmwiki (http://pmwiki.org/wiki/ > PmWiki/Installation) say setting uploads and wiki.d to 777. should > they be 775 instead? just wondering if there's any consensus on this > before i go start twiddling, changing permissions... > > thx > adam > > > > Message: 6 > > Date: Mon, 22 Dec 2008 10:25:35 -0500 > > From: DaveG <[email protected]> > > Subject: Re: [pmwiki-users] Security breach? > > To: [email protected], [email protected] > > Message-ID: <[email protected]> > > Content-Type: text/plain; charset="UTF-8" > > > > > >> What happens is that the hackers use the uploads directory > >> (with 777 permissions) to upload php files, and then it seems > >> these php > >> files can be used to access other parts of the filesystem (if I > > understood > > <...snip...> > >> If a directory has 777 permissions, is there anything to stop someone > >> putting an arbitrary file there?? > > Not sure why you have directories set to 777; my uploads and wiki.d > > directories are all 775; most other directories are 755. Not sure > > why some > > are 775 -- I suspect they could be changed to 755. Either way, > > don't set > > anything to 777. > > > > ~ ~ Dave > > > > > > > > ------------------------------ > > > > Message: 7 > > Date: Mon, 22 Dec 2008 13:45:52 -0200 > > From: Guillermo Calderon - INCO <[email protected]> > > Subject: [pmwiki-users] question about Cookbook/SwitchToSSLMode > > To: [email protected] > > Message-ID: <[email protected]> > > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > > > > > Hi all; > > I was reading the page Cookbook/SwitchToSSLMode. > > There, a complex solution is described in order to "only actions where > > passwords are likely to be passed are sent via SSL" > > > > However, "The example assumes there are not read-protected pages, > > since > > any 'read' passwords entered to view a page would be sent via a non- > > SSL > > connection" > > > > It sounds too restricted since (almost) every wiki has some > > read-protected pages and groups. > > > > I have implemented a very simple solution where only passwords are > > sent > > via SSL and the other posts are sent via http. > > In config.php: > > > > SDVA($InputTags['auth_form'], array( > > ':html' => "<form > > action='https://{$_SERVER['HTTP_HOST']}{$_SERVER > > ['REQUEST_URI']}' > > method='post' > > name='authform'>\$PostVars")); > > > > This way the action field of the auth-form sends all the information > > via https. > > > > My question: does this solution really work? > > (I think so, by I would like to be sure) > > > > Guillermo > > > > > > > > > > ------------------------------ > > > > _______________________________________________ > > pmwiki-users mailing list > > [email protected] > > http://www.pmichaud.com/mailman/listinfo/pmwiki-users > > > > > > End of pmwiki-users Digest, Vol 42, Issue 19 > > ******************************************** > > > _______________________________________________ > pmwiki-users mailing list > [email protected] > http://www.pmichaud.com/mailman/listinfo/pmwiki-users >
_______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
