History of Security
Version 2
Security
Bitweaver security settings
Bitweaver 2
Security settings
After you installed bitweaver, check the following settings:- In /kernel/config_inc.php the parameter IS_LIVE should be "true" (it's "true" by default). From then on, error messages are not exposed to visitors anymore. To see the errors yourself, either monitor your error logs directly from the server, or set IS_LIVE to "true" only while testing and developing (while having other protection in place).
- Rename your /install/ directory. Rename it back only to install new packages.
- In Admin > Users > Permissions, make sure that Anonymous is not allowed to attach files to content (not allowed by default)
- If users are allowed to input HTML, enable HTMLPurifier, which strips malicious code.
- If Anonymous can submit content, enable CAPTCHA (depends on your server's setup).
Security issues
wiki_url_import
The "suck_url Information Disclosure" security issue has been fixed in version 2.1. Before, it was exploitable when the admin turned on the feature wiki_url_import (off by default).Hacking attempts
The script kiddie plague du jour is the idea to exploit code that does: include($varWithSomeUrlFromGetString); which would execute remotely written PHP. If such an attack is attemped, a bitweaver install might mail an error message to you, the admin, alerting something like "unknown column" or "unknown sort order" (note that normal users browsing your pages will never see any error message unless you set IS_LIVE to false in /kernel/config_inc.php). The error mail informs you that the attemptet hack failed (that it didn't do anything).3rd party applications
PHP security settings
- For security reasons, your server might run PHP with features like open_basedir or safe_mode switched ON. See Install under safe mode.