PHP settings (register_globals)

Because ewiki was developed on later PHP versions (at least 4.3), it
heavily uses the $_REQUEST array and assumes a deactivated
"register_globals" setting in php.ini
If this is not the case for your setup / WebServer+ or with your
provider the ewiki.php script may expose some security leaks
(because of uninitialized variables).

ewiki in general does only use a few global variables, but especially
the $ewiki_ring variable (which is used for PROTECTED_MODE) can lead
to problems, if you use it without an existing authentication
concept.  The $ewiki_plugins is also a very complex task, and I
cannot safely state that it won't be able to produce exploits, if
the variable is tweaked externally (pushed into by a client).

So the best thing you could do is to disable register_globals (this
can be done from inside a directories .htaccess file by inserting
the line "php_option register_globals off").

A fragments/ include will be added to strike against variables which
got set from outside (this is rather easy for variables used by
ewiki, because their names all start with "$ewiki_").

prev << "Security considerations"
next >> "The two modes of operation (_protected_mode and _flat_real_mode)"

---

You cannot modify the README file, but anyhow any ideas or suggestion should as usually get filed on BugReports, UserSuggestions or even better the README.Discussion.