1 Jul
2011
1 Jul
'11
4:24 a.m.
On 30 June 2011 18:09, Andreas Hahn <ahahn(a)gmx.net> wrote:
In your secure wikis, did you check this page:
http://shept.org/docs/XWiki/Import#Attachments
An Unregistered, un-logged on user can download any .xar that you have
uploaded and imported...
which means if you have imported content from eg another wiki, then the user
could download the .xar and load all of your content onto his own xwiki
instance, and see all of your secured content.
I'm not happy about allowing View access on the entire XWiki space, there
are a lot of things in there that probably shouldn't be accessible ... but
its hard to tell !
Hi Andreas,
Your site is perfect for illustrating my concerns about the "open by
default" configuration of xwiki.
I was able to register an account (I used my real email, but it could've
been a fake one), and was able to make a comment on your page here:
http://shept.org/docs/Shept/Features
Did you really intend to leave that page open for comments? I would
guess
not, since you turned off comments on your
WebHome page.
I find it very scary how easy it is to leave doors and windows open.
I can shut the doors I find open, but I have no way of confirming that I
have closed all the doors, especially the back doors that I do not know
about (eg whatever is in the XWiki space)
cheers
Paul
Hi Paul,
well you can make a philosophy out of what information should be allowed
and restricted ...
As for shept.org as an open source project I'm pretty fine with the
current setup.
I get regular notifications about what's beeing changed and should there
be some offending stuff there's always the option to delete it.
I'm running other XWiki sites with more restricted rights.
My approach for getting more confidence about security settings was
studying the server logs and understanding what the robots find out.
Of course you can also do the same before going public with some
site-copy tool ...
ciao
Andreas