-
2009-02-03
sherri
The www.mywiki.com/doku.php?do=check command provides too much information that could be a security risk. This should NEVER be available to non-logged in users (the public), and IMHO not even to non-admins. Best case scenario, logged in non-admins should only see information that pertains to them specifically, not to the server or Dokuwiki install.
-
2009-02-03
sherri
Solution:
in: inc/actions.php, in the act_dispatch() function:
Replace:
//display some infos
if($ACT == 'check'){
check();
$ACT = 'show';
}
With:
//display some infos
if($ACT == 'check'){
if($INFO['isadmin']){
check();
}
$ACT = 'show';
}
-
2009-02-03
andi
There are no security critical infos in the do=check output. If you consider version numbers critical then you can disable the action through the disableactions config option. It does provide a lot of useful data to help people making sure their wiki is running correctly or debug login/authentication problems - limiting this to admins would be counterproductive in that case.
-
2009-02-03
sherri
And yet... who would need to debug a malfunctioning wiki? Admins! Why would the public ever need to see this?
-
2009-02-03
andi
An admin that can't log in as an admin for example, trying to debug why he isn't recognized as admin ;-)
-
2009-02-03
sherri
Oh brother. Well, at least it is disable-able in the configuration menu. That's good enough for me. :)