[Discuss] Wiki Security Risk

Will Rico willrico at gmail.com
Thu Feb 6 22:12:07 EST 2014


Our company has a MediaWiki installation under a directory, protected at
the Apache level, from access, i.e. requiring a user login.  We've had this
setup for many years and it has worked well.  Everyone in the company can
view and edit the Wiki without the restriction, but barring a breach of the
Apache access handler, it is protected from others.


On Fri, Jan 31, 2014 at 8:23 PM, John Abreau <abreauj at gmail.com> wrote:

> Have you heard of TWiki? Foswiki is a fork of TWiki. As I understand it,
> the forking was in response to a dispute among TWiki developers over
> licensing issues.
>
>
> On Fri, Jan 31, 2014 at 6:52 PM, Bill Horne <bill at horne.net> wrote:
>
> > On 1/31/2014 5:20 PM, David Kramer wrote:
> >
> >>
> >> On 01/31/2014 01:56 PM, Jeffrey Young wrote:
> >>
> >>> I want to implement a Media Wiki at work, but my boss is worried about
> >>> security risks.  To me it seems simple, if it's not exposed to the
> world,
> >>> what's the problem?  Am I missing something?
> >>>
> >>> Thanks,
> >>> Jeff
> >>> _______________________________________________
> >>> Discuss mailing list
> >>> Discuss at blu.org
> >>> http://lists.blu.org/mailman/listinfo/discuss
> >>>
> >> if "it's not exposed to the world" is known to be a true statement, then
> >> what is he concerned about?
> >>
> >> I will say that MediaWiki *is* very hard to lock down  if that statement
> >> is not known to be true.  Most wikis fall into one of two camps:
> >> "Information wants to be free and that's what wikis are for so why would
> >> you want to lock it down?" and "Today's internet is a scary place and
> >> even wikis need access control".  There's not much in the middle.
> >>
> >> I LOVE Foswiki for many reasons, but very high on the list is that it
> >> has full user/group authorizations at the system level, the wiki  level,
> >> and at the page level.
> >>
> >
> > +1
> >
> > Mediawiki's documentation specifically warns against trying to implement
> > access controls. The software is used at Wikipedia, and so is geared
> toward
> > an "everybody can write" model, albeit with retroactive oversight.
> >
> > I'm not familiar with Foswiki, but your point is well taken: the idea of
> a
> > wiki is that many hands make short work, and trying to limit access is a
> > contradiction in terms.
> >
> > Bill
> >
> > --
> > Bill Horne
> > William Warren Consulting
> > http://www.william-warren.com/
> > 339-364-8487
> >
> > _______________________________________________
> > Discuss mailing list
> > Discuss at blu.org
> > http://lists.blu.org/mailman/listinfo/discuss
> >
>
>
>
> --
> John Abreau / Executive Director, Boston Linux & Unix
> Email: abreauj at gmail.com / WWW http://www.abreau.net / PGP-Key-ID
> 0x920063C6
> PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>



More information about the Discuss mailing list