History of Security
! Bitweaver 2
!! security settings
* in /kernel/))config_inc((.php the parameter ))IS_LIVE(( should be ''true'' (it's ''true'' by default)
* rename your /install/ directory after installation
* optimize PHP for security (links)
* optimize Apache (links)
* anonymous users shouldn't be allowed to attach all the files they want to wiki pages and other content
* if comments are enabled anywhere, definitely enable also HTMLPurifier, it strips malicious code
!! security alerts
(some examples of security issues that were discovered and how they've been addressed or don't exist)
!! hacking attempts
!!! unknown column/sort order
The script kiddie plague du jour is the idea to exploit code that does: include( $))varWithSomeUrlFromGetString(( ); which would execute remotely written PHP. If such an attack is attemped, a bitweaver install might mail an error message to you, the admin. Note that the normal user browsing your pages will never see an error message unless you set ))IS_LIVE(( to ''false'' in /kernel/))config_inc((.php which by default is set to ''true''. Also, the error mail basically informs you, that the attemptet hack ''failed'', actually that it didn't do anything.
! Bitweaver 1.3 and before
Bitweaver's 1.x versions were released in 2004 and the beginning of 2005 (see bitweaverRoadMap). These versions are really old now, and not well supported anymore. They got some serious security issues, many of which come from 3rd party code, like left-over code from older versions, the infamous Xmlrpc bug, and others. These and bitweaver's own bugs resulted in quite a bad reputation at times. Thus, many of the improvements which were introduced with bitweaver 2, addressed these issues specifically. In other words, don't install version 1.3 anymore. If you're running version 1.3 and are concerned about security, consider ((bitweaver R1 to R2 Upgrade|upgrading bitweaver)).
!! security settings
* in /kernel/))config_inc((.php the parameter ))IS_LIVE(( should be ''true'' (it's ''true'' by default)
* rename your /install/ directory after installation
* optimize PHP for security (links)
* optimize Apache (links)
* anonymous users shouldn't be allowed to attach all the files they want to wiki pages and other content
* if comments are enabled anywhere, definitely enable also HTMLPurifier, it strips malicious code
!! security alerts
(some examples of security issues that were discovered and how they've been addressed or don't exist)
!! hacking attempts
!!! unknown column/sort order
The script kiddie plague du jour is the idea to exploit code that does: include( $))varWithSomeUrlFromGetString(( ); which would execute remotely written PHP. If such an attack is attemped, a bitweaver install might mail an error message to you, the admin. Note that the normal user browsing your pages will never see an error message unless you set ))IS_LIVE(( to ''false'' in /kernel/))config_inc((.php which by default is set to ''true''. Also, the error mail basically informs you, that the attemptet hack ''failed'', actually that it didn't do anything.
! Bitweaver 1.3 and before
Bitweaver's 1.x versions were released in 2004 and the beginning of 2005 (see bitweaverRoadMap). These versions are really old now, and not well supported anymore. They got some serious security issues, many of which come from 3rd party code, like left-over code from older versions, the infamous Xmlrpc bug, and others. These and bitweaver's own bugs resulted in quite a bad reputation at times. Thus, many of the improvements which were introduced with bitweaver 2, addressed these issues specifically. In other words, don't install version 1.3 anymore. If you're running version 1.3 and are concerned about security, consider ((bitweaver R1 to R2 Upgrade|upgrading bitweaver)).