| -! Bitweaver 2
|
| +{maketoc} |
| +! Security settings |
| +After you installed Bitweaver, check the following settings: |
| +* In -+/kernel/config_inc.php+- the parameter -+IS_LIVE+- should be -+TRUE+-. This means, error messages are not exposed to visitors. To see the errors yourself, either monitor your error logs directly from the server, or set IS_LIVE to -+FALSE+- while testing and developing (and having other protection in place). |
| +* Rename your -+install/+- directory. Rename it back only to install new packages or upgrade Bitweaver. |
| +* In ''Admin > Users > Permissions'', make sure that -+Anonymous+- is not allowed to attach files to content (default: not allowed) |
| +* If you allow users to input HTML, enable ((HTMLPurifier)), which strips malicious code. |
| +* If -+Anonymous+- can submit content, enable CAPTCHA (depends on your server's setup) in ''Admin > Liberty Settings'' |
|
|
| -!! security settings
|
| -* in /kernel/))config_inc((.php the parameter ))IS_LIVE(( should be ''true'' (it's ''true'' by default)
|
| -* rename your /install/ directory after installation
|
| -* optimize PHP for security (links)
|
| -* optimize Apache (links)
|
| -* anonymous users shouldn't be allowed to attach all the files they want to wiki pages and other content
|
| -* if comments are enabled anywhere, definitely enable also HTMLPurifier, it strips malicious code
|
| +! Security issues |
|
|
| -!! security alerts
|
| -(some examples of security issues that were discovered and how they've been addressed or don't exist)
|
| +!! Code injection into content |
| +A malicious user might try to input code through on of Bitweaver's content forms (comment, wiki page etc). The best way to prevent susceptibility to HTML hacking is to disable HTML as an input format. As the Bitweaver framework allows a number of formats for content, using a wiki type format while not allowing HTML is the most secure option. It's also possible to allow HTML only for certain user groups (admins, editors etc). |
|
|
| -!! hacking attempts
|
| -!!! unknown column/sort order
|
| -The script kiddie plague du jour is the idea to exploit code that does: include( $))varWithSomeUrlFromGetString(( ); which would execute remotely written PHP. If such an attack is attemped, a bitweaver install might mail an error message to you, the admin. Note that the normal user browsing your pages will never see an error message unless you set ))IS_LIVE(( to ''false'' in /kernel/))config_inc((.php which by default is set to ''true''. Also, the error mail basically informs you, that the attemptet hack ''failed'', actually that it didn't do anything.
|
| +If the flexibility of using HTML outweighs the security concerns, Bitweaver provides a number of additional tools to sanitise data entry. One advanatge of HTML is the availability of WYSIWYG editors like ((FckeditorPackage|FCKeditor)) or ((TinymcePackage|TinyMCE)). Both of these provide filtering of input, such as only allowing a sub set of HTML tags. |
|
|
| -! Bitweaver 1.3 and before
|
| -Bitweaver's 1.x versions were released in 2004 and the beginning of 2005 (see bitweaverRoadMap). These versions are really old now, and not well supported anymore. They got some serious security issues, many of which come from 3rd party code, like left-over code from older versions, the infamous Xmlrpc bug, and others. These and bitweaver's own bugs resulted in quite a bad reputation at times. Thus, many of the improvements which were introduced with bitweaver 2, addressed these issues specifically. In other words, don't install version 1.3 anymore. If you're running version 1.3 and are concerned about security, consider ((bitweaver R1 to R2 Upgrade|upgrading bitweaver)). |
| +Since it is possible to bypass the editors to enter HTML, a more serious level of filtering is provided by Bitweaver's ((Simple Purifier|Simple HTML Purifier)). Finally, the most secure and comprehensive option is to use ((HTMLPurifier)). |
| + |
| + |
| +!! SQL injection |
| +A malicious user might try to inject code into the SQL database (Postgres, MySQL etc). Each database engine requires a different version of an attack to present viable SQL. Invalid SQL will result in an error report to the administrator. A 'White Screen', claiming that you are running Bitweaver in test mode, is only returned when the parameter -+IS_LIVE+- set to -+FALSE+- in kernel/config_inc.php. Sites being in production are expected to have set this to -+TRUE+-, while error reports are directed to appropriate error log files. |
| + |
| +In the past, some of Bitweaver's search functions allowed the inclusion of additional SQL -+WHERE+- clauses. This was not database agnostic and has been replaced. Now, additional search options build the SQL internally, preventing any possible injection attack. |
| + |
| + |
| +!! wiki_url_import |
| +The "suck_url Information Disclosure" security issue has been fixed in version 2.1. Before, it was exploitable when the admin had enabled the feature ''wiki_url_import'' (default: disabled). |
| + |
| + |
| +!! Hacking attempts |
| +The script kiddie plague du jour is the idea to exploit code that does: -+include($varWithSomeUrlFromGetString);+- which would execute remotely written PHP. If such an attack is attemped, a Bitweaver install might mail an error message to you, the admin, alerting an "unknown column" or "unknown sort order" (note that normal users browsing your pages will never see any error message unless you set -+IS_LIVE+- to ''false'' in -+/kernel/config_inc.php+-). The error mail informs you that the attemptet hack failed (that it didn't do anything). See ''SQL injection'' above. |
| + |
| + |
| +! PHP security settings |
| +* For security reasons, your server might run PHP with features like open_basedir or safe_mode switched ON. See ((Install under safe mode)). |
| + |
| + |
| +! Earlier Bitweaver versions |
| +Bitweaver versions 1.3 and before were released in 2004/2005 (see ((bitweaverRoadMap|Roadmap))). These versions are not supported anymore, i.e., the code hasn't been updated since the release. There are a couple of serious security issues. Some stem from 3rd party code, like left-over code from older versions, as well as the infamous XMLRPC bug (if enabled). Many of the improvements introduced with Bitweaver 2 addressed these issues specifically. In other words, don't install version 1.3. If you're running version 1.3 and are concerned about security, please ((bitweaver R1 to R2 Upgrade|upgrade Bitweaver)). |
| + |
| + |
| +! Vulnerability Reports |
| +A discussion of 3rd party Vulnerability Reports on the security of Bitweaver can be found on the page ((Vulnerability Report Status)). |