Not logged in. · Lost password · Register
Forum: General Help and Support Installation and Configuration RSS
Securing a directory
Dokuwiki says it is not secure
Avatar
lverona #1
Member for a month · 4 posts
Group memberships: Members
Show profile · Link to this post
Subject: Securing a directory
Hey folks!

I was alerted to a problem with my dokuwiki installation from the admin page. It led me to this page: https://www.dokuwiki.org/security#web_access_security

The page lists directories that must be secured and gives a link to check: http://yourserver.com/data/pages/wiki/dokuwiki.txt

The link above, unfortunately, still opens. I am not sure how to use htaccess and the instructions on the wiki page are just way above my head. I also don't want to fiddle around with my server settings, if possible, since dokuwiki is only a small part of my setup.

Is there a way to somehow manually secure the installation without using htaccess?
Avatar
lverona #2
Member for a month · 4 posts
Group memberships: Members
Show profile · Link to this post
And a follow up question: what can someone do if they do have access to these directories from the web?
Avatar
StarArmy #3
Member since Nov 2011 · 125 posts
Group memberships: Members
Show profile · Link to this post
What OS are you using for your server?
Avatar
lverona #4
Member for a month · 4 posts
Group memberships: Members
Show profile · Link to this post
It's some flavor of Ubuntu, either 12.04 or 14.04. I think it is 14.04.
Avatar
lverona #5
Member for a month · 4 posts
Group memberships: Members
Show profile · Link to this post
Was able to activate .htaccess and folders conf and data are no longer accessible. vendor, however, still is.
Avatar
ryan.chappelle #6
User title: Chilean DW Fan
Member since May 2008 · 220 posts · Location: Temuco, Chile
Group memberships: Local Moderators, Members, Newsletter Team
Show profile · Link to this post
vendor should be accessible (it should at least be readable and writable by your webserver, readable at most for anyone else) as that is used by your webserver to service some components that are not part of the DokuWiki installation. Most importantly, geshi the syntax highlighter.

what can someone do if they do have access to these directories from the web?
For inc, tpl and vendor: if they have read access (which they should), not much. They would get the same files from downloading DokuWiki anyway.
For data and conf: if they have read access, they can access your userlist and your hashed passwords, as well as your plugin configuration (which might include auth models) and word / domain blocklist if any.
Chilean DW Fan!
my plugins for DokuWiki
GULIX, my area's LUG
Surviving earthquakes since Feb 2010!
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Imprint
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2020-04-02, 22:17:33 (UTC +02:00)