> I guess I would vote for Twiki if we were changing.
Sorry, twiki isn't going to be installed on _any_ machine controlled by
me. twiki has a bad history of (overly stupid!) security incidents and
its main developer (Peter Thoeny) has reacted very unfriendly and also
unprofessional to people reporting such issues.
I was involved in a case where lots of machines were owned because of a
very stupid hole in twiki (doing shell execs with unfiltered user input,
OUCH!). It turned out, that Peter already knew about this hole for DAYS,
but decided to sit on it for some more days while pondering what to do
now. He planned to write an advisory, but this was due to be published
ONLY on to a twiki-users mailinglist, but not to the general public...
Some friend of mine discovered the hole by analyzing the logs of a owned
machine. An advisory was written (took under 30 minutes) and published
(after Peter was contacted and acknowledged this). Shortly after this,
a machine of a friend of Peter was owned and then suddenly Peter blamed
US because we made the knowledge about the hole public...
So, sorry, but i won't install software from a author who keeps blatant
security holes secret by purpose.
Regards
Michael
--
It's an insane world, but i'm proud to be a part of it. -- Bill Hicks
