Ticket #98 (closed defect: fixed)

Opened 5 years ago

Last modified 3 years ago

GetEnv is not a good idea

Reported by: dartar Owned by: JavaWoman
Priority: high Milestone: 1.1.6.3
Component: core Version: 1.1.6.2
Severity: major Keywords: security configuration
Cc:

Description (last modified by JavaWoman) (diff)

At ./wikka.php, you will see a line <?php if (!$configfile = GetEnv("WAKKA_CONFIG")) $configfile = "wikka.config.php";?> In the most cases, a website is hosted in a machine as a VirtualHost, this means that a number of websites share the same environment variables. If someone knows where your site is hosted, he can put his site at the same server, and use a script containing <?php putenv('WAKKA_CONFIG=/home/hacker/config.php');?>. And all wikka sites on the same server will use his configuration file. The rest actions to take to hack your site will be as easy as eating sandwich. Php doc says that an environment variable is altered only during the life of the script, but with my dev Easyphp's on windows, that is false. (I think a "new" environment variable keep its value, even on Linux).

I wanted to make a unique Wikka interface used by 3 sites on the same server. The best secure solution I found is to alter ./wikka.php like this : 

<?php
if (file_exists("wakka.config.php")) rename("wakka.config.php", "wikka.config.php");
#if (!$configfile = GetEnv("WAKKA_CONFIG")) $configfile = "wikka.config.php";
if (!$configfile && isset($GLOBALS['wikka_config'])) $configfile = $GLOBALS['wikka_config'];
if (!$configfile) $configfile = "wikka.config.php";
if (file_exists($configfile)) include($configfile);

and put the 2 files sitenumber2.php and .htaccess below at the root of the server number 2: sitenumber2.php: 

<?php
 $GLOBALS['wikka_config'] = "/path/to/altered_config.php";
 chdir("/path/to/basewikka");
 include('wikka.php');
?>

.htaccess: 

<IfModule mod_rewrite.c>
 RewriteEngine on
 RewriteCond %{REQUEST_FILENAME} -d
 RewriteRule ^(.*/[^\./]*[^/])$ $1/
 RewriteRule ^(css|images|wikiedit2)/(.*)$ /path/to/basewikka/$1/$2 [L]
 RewriteRule ^(.*)$ sitenumber2.php?wakka=$1 [QSA,L]
</IfModule>

--DotMG

I've now written up my thoughts about a more secure way to handle Wikka's configuration (which should also provide also more flexibility)  http://wikkawiki.org/WikkaSecureConfig --JavaWoman

Change History

Changed 4 years ago by DarTar

  • milestone changed from 1.1.6.2 to 1.1.6.3

Moving this issue to next milestone.

Changed 4 years ago by DotMG

  • milestone changed from 1.1.7 to 1.1.7.1

Not for this release again.

Changed 3 years ago by JavaWoman

  • version changed from 1.1.6.1 to 1.1.6.2
  • description modified (diff)

Changed 3 years ago by JavaWoman

  • owner changed from unassigned to JavaWoman
  • status changed from new to assigned
  • milestone changed from 1.1.7.1 to 1.1.6.3

Setting milestone to 1.1.6.3.

Temporary fix for this in [434].

When 1.1.6.3 is released, we'll need a more structural solution for the next version (1.1.7.2); either move the milestone forward or create a new ticket

Changed 3 years ago by DarTar

  • status changed from assigned to closed
  • resolution set to fixed

Since the issue has been patched in 1.1.6.3 I'm closing this ticket.

I've opened a new ticket with a backref to this one with 1.1.7 as target milestone - #470

Changed 3 years ago by JavaWoman

  • status changed from reopened to closed
  • resolution set to fixed

closed again - was probably reopened by mass spam removal

Note: See TracTickets for help on using tickets.