Alain M. wrote: > Hi Sergiu, > > ok, I can say then that: > 1) Container security doesn't seam to a major concern, or you would have > been more preocupied. I will seek a qualified professional and pass > him your information. > 2) wiki secure by it's users is up to me :) this is quite normal > > BUT the real question: is if xwiki by it self has security issues. Let > me give an example: php has a weekness known as "sql injection". > > Is XWiki prone to the same kind of problem? > > Alain, I run a web hosting service. 99% of the applications deployed are JAVA based. 1% of the applications are PHP based. HOWEVER 99% of all application related security issues we deal with are related to PHP.
> Thanks, > Alain > > Sergiu Dumitriu escreveu: > >> Hi Alain, >> >> There are 2 security areas when talking about XWiki: the security of the >> underlying system, and the security of the wiki itself. >> >> The first one depends a lot on the security of the container (Tomcat, >> for example), and I think that most containers are pretty safe to use, >> as a lot of websites are built on the Java technology. One important >> aspect is the security model of the JVM; you can leave the container >> without a security manager, which allows an application to do anything >> (well, anything the user owning the java process can do on the system), >> or enable the security manager which allows an application to do only >> what you tell it to. While enabling the security manager is the safest >> thing to do, we didn't quite experiment with this, so we can't provide a >> good policy file that will allow XWiki to run, you will have to write it >> yourself; there is a minimal file which allows XWiki to start under the >> security manager, but it isn't tested on more than viewing a page (see >> http://jira.xwiki.org/jira/browse/XWIKI-348). If you want to play around >> with this policy file until you determine the minimum safe set of rules, >> then you won't have anything to worry about on the system security. >> >> The second part is a bit trickier, as it depends a lot on how you manage >> users and their rights. If you only grant view and edit rights to people >> you trust, then there shouldn't be any risks. If you open the wiki for >> public registration and public editing, then you will have the problem >> any wiki has: anyone can alter the data. This is where the >> administrator(s) are needed: managing users and their roles/rights. A >> pretty good thing is that XWiki has versioning, so you can always revert >> a document to a previous version, and a recycle bin, so you can recover >> deleted documents. >> >> Regarding rights, there is a major issue: XWiki has something called the >> Programming right, something that allows users to go beyond simple >> editing, as it allows a user to write scripts that can alter all the >> data in the wiki, or even scripts that can do anything a java program >> can do (even access the filesystem and send data over the network). This >> is where the security manager I talked about above is useful, as it >> restricts what such a script can do on the system. Now, this is >> something you should take extra care about: it is not a problem unless >> you make it one. Never let this right be used in the wiki, it is not >> intended to be granted to normal users but to your "super" >> administrators, who know how and when to use this access right. This >> means that you should only use the default Admin account to setup the >> wiki, then create a normal user for day-to-day editing. >> >> So, as a conclusion, XWiki CAN be safe, and it CAN be unsafe, it is only >> a matter of proper configuration. It does not contain anything >> inherently unsafe, it is built on a safe platform, with the dangerous >> things (programming right) locked up by default. >> >> Alain M. wrote: >> >>> Please, can anyone help me on this matter?? I have waited some time but >>> didn't get an answer. This is important, any information will help >>> ------- >>> >>> If I install xwiki in a VPS, and leave it running, with a firewall that >>> leaves open only the port that xwiki is using, >>> >>> Could it be atacked by a hacker to gain access to the server? >>> >>> Do I need some extra protection? Is there a security tutorial? >>> >>> > _______________________________________________ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users > > > _______________________________________________ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
