Michael Holzt wrote:
I guess I would vote for Twiki if we were changing.
Sorry, twiki isn't going to be installed on _any_ machine controlled by
me. twiki has a bad history of (overly stupid!) security incidents and
its main developer (Peter Thoeny) has reacted very unfriendly and also
unprofessional to people reporting such issues.
I was involved in a case where lots of machines were owned because of a
very stupid hole in twiki (doing shell execs with unfiltered user input,
OUCH!). It turned out, that Peter already knew about this hole for DAYS,
but decided to sit on it for some more days while pondering what to do
now. He planned to write an advisory, but this was due to be published
ONLY on to a twiki-users mailinglist, but not to the general public...
Some friend of mine discovered the hole by analyzing the logs of a owned
machine. An advisory was written (took under 30 minutes) and published
(after Peter was contacted and acknowledged this). Shortly after this,
a machine of a friend of Peter was owned and then suddenly Peter blamed
US because we made the knowledge about the hole public...
So, sorry, but i won't install software from a author who keeps blatant
security holes secret by purpose.
I can't really comment on your situation because I wasn't there... But I
think that sometimes it's prudent to keep such security problems
"secret" until a solution is found.
Discussing them (and their solutions) on mailing lists and such is one
thing, but publicly announcing the problem to the world just opens up
every (in this case) Twiki installation to being hacked by would-be hackers.
As I said, I don't know the situation and won't take any sides here, I
just wanted to interject that thought.
