WebServerSecurity

Summary: How to use ".htaccess" to make PmWiki more secure
Version:
Prerequisites:
Status:
Maintainer: NeilHerber

Question

How can I use ".htaccess" to make PmWiki more secure?

Answer

The Apache server (and other compatible web servers) can make use of per-directory ".htaccess" files to control access.

For PmWiki, there is a small but finite danger that scripts (configuration files) in the "local/" or "cookbook/" directories could be used to compromise your server. Most configuration files simply set values for variables and may include a few other scripts. But if a configuration file manipulates files or makes calls to the operating system (or includes another script that does).

Any risk from the configuration files can be virtually eliminated by making sure the beginning of the file reads...

   <?php if (!defined('PmWiki')) exit();

As an extra precaution, PmWiki comes with special ".htaccess" files in the "local/" and "cookbook/" directories, that prevent access to these directories with a browser. In case of a WikiFarm, you should add such a file in the local/ directory of every field. They should read:

# .htaccess - Apache fileserver configuration file
# This file is in the directory to prevent the directory's
# contents from being accessed directly by browsers
# (this is a potential security hole).
Order Deny,Allow
Deny from all

PmWiki automatically places such a file in wiki.d, but this protection is inactive if per-directory overriding is disabled in the Apache configuration, see the section on AllowOverride below.

In the Apache 2 ".htaccess" tutorial (http://httpd.apache.org/docs-2.0/howto/htaccess.html) they suggest that to improve performance, all the configuration done using per-directory .htaccess files should be moved into the main httpd.conf file. However, if you do not have access to httpd.conf, the only choice you have is to use .htaccess. There is also some debate as to how much of a performance hit .htaccess processing creates.

.htaccess is dependent on correct setting of AllowOverride

Be very cautious with the use of .htaccess to implement your wiki security! If you use .htaccess rules to protect against unauthorized access of sensitive files in you wiki, make very sure the configuration of your Apache web server has allowed the use of .htaccess . In particular, make sure the web server configuration has the AllowOverride directive set to some other value than None .

When this directive is set to None, then .htaccess files are completely ignored. Probably some directories that shouldn't be accessible are publicly accessible by anonymous (not-logged-in) users!

There are some Linux distro's , for example Ubuntu, where the out-of-the-box configuration of Apache2 has set AllowOverride None for some or all directories that are publicly accessible through the web. In effect this renders all measures to protect your sensitive files by use of .htaccess useless! So be sure to change the default Apache configuration at least for your PmWiki directories like this:

<directory /home/paul/wiki/>
  AllowOverride All
  ..
</directory> 

or at least like this:

<directory /home/paul/wiki/>
  AllowOverride FileInfo Limit
  ..
</directory> 
  • The directive Limit allows .htaccess to permit and prohibit access to directories using the "Allow", "Deny" and "Order" keywords.
  • The directive FileInfo allows .htaccess to rewrite the URL by keywords RewriteEngine, RewriteOptions, RewriteBase, RewriteCond, RewriteRule. These are necessary for implementing the Cookbook recipe CleanUrls.

2014-02-09 PaulWiegmans