ewiki info
READMEChangeLog
project site
fm project page
secondary site
|
PHP settings (register_globals)Because ewiki was developed on later PHP versions (at least 4.3), it
heavily uses the $_REQUEST array and assumes a deactivated
"register_globals" setting in php.ini
If this is not the case for your setup / WebServer+ or with your
provider the ewiki.php script may expose some security leaks
(because of uninitialized variables).
ewiki in general does only use a few global variables, but especially
the $ewiki_ring variable (which is used for PROTECTED_MODE) can lead
to problems, if you use it without an existing authentication
concept. The $ewiki_plugins is also a very complex task, and I
cannot safely state that it won't be able to produce exploits, if
the variable is tweaked externally (pushed into by a client).
So the best thing you could do is to disable register_globals (this
can be done from inside a directories .htaccess file by inserting
the line "php_option register_globals off").
A fragments/ include will be added to strike against variables which
got set from outside (this is rather easy for variables used by
ewiki, because their names all start with "$ewiki_").
prev << "PHP settings (register_globals)"next >> "The two modes of operation (_protected_mode and _flat_real_mode)" You cannot modify the README file, but anyhow any ideas or suggestion should as usually get filed on BugReports, UserSuggestions or even better the README.Discussion. |