Bitweaver 2
security settings
- in /kernel/config_inc.php the parameter IS_LIVE should be true (it's true by default)
- rename your /install/ directory after installation
- optimize PHP for security (links)
- optimize Apache (links)
- anonymous users shouldn't be allowed to attach all the files they want to wiki pages and other content
- if comments are enabled anywhere, definitely enable also HTMLPurifier, it strips malicious code
security alerts
(some examples of security issues that were discovered and how they've been addressed or don't exist)
hacking attempts
unknown column/sort order
The script kiddie plague du jour is the idea to exploit code that does: include( $varWithSomeUrlFromGetString ); which would execute remotely written PHP. If such an attack is attemped, a bitweaver install might mail an error message to you, the admin. Note that the normal user browsing your pages will never see an error message unless you set IS_LIVE to
false in /kernel/config_inc.php which by default is set to
true. Also, the error mail basically informs you, that the attemptet hack
failed, actually that it didn't do anything.
Bitweaver 1.3 and before
Bitweaver's 1.x versions were released in 2004 and the beginning of 2005 (see bitweaverRoadMap). These versions are really old now, and not well supported anymore. They got some serious security issues, many of which come from 3rd party code, like left-over code from older versions, the infamous Xmlrpc bug, and others. These and bitweaver's own bugs resulted in quite a bad reputation at times. Thus, many of the improvements which were introduced with bitweaver 2, addressed these issues specifically. In other words, don't install version 1.3 anymore. If you're running version 1.3 and are concerned about security, consider
upgrading bitweaver.