Multiple answer: Jerome Velociter escreveu: > >> Is XWiki prone to the same kind of problem? > > I'm wondering what kind of answer you can expect here : We won't say XWiki > is "perfectly secured", because there are no such things as perfectly > secured systems in the nature yet ; On the other side, if we hypoteticly > had known unresolved security issues, we would not tell about them here > either, because, well they are unresolved security issues that could be > exploited on running servers.
You have a point here :) but then I can be reasonably tranquil that security issues are taken care of... ------------ Ronald Parris escreveu: > I run a web hosting service. 99% of the applications deployed are > JAVA based. > 1% of the applications are PHP based. HOWEVER 99% of all application > related security issues we deal with are related to PHP. Ok, that is a reassuring information ---------- [Ricardo Rodriguez] Your EPEC Network ICT Team escreveu: > > you are comparing two different things. PHP can not be one term of the > comparison. You can compare PHP with Java; or XWiki with MediaWiki (the first running on a Java servlet container, the second running on PHP. Form Ronald's answer above, I can see that Java is reasonably safe as a platform. I was not comparing PHP and XWiki, just giving an example ao security issue... ------------ From all your answers, I feel safe enough about using XWiki. Thanks to all, Alain > > Hope this helps, > Jerome. >> Thanks, >> Alain >> >> Sergiu Dumitriu escreveu: >>> Hi Alain, >>> >>> There are 2 security areas when talking about XWiki: the security of the >>> underlying system, and the security of the wiki itself. >>> >>> The first one depends a lot on the security of the container (Tomcat, >>> for example), and I think that most containers are pretty safe to use, >>> as a lot of websites are built on the Java technology. One important >>> aspect is the security model of the JVM; you can leave the container >>> without a security manager, which allows an application to do anything >>> (well, anything the user owning the java process can do on the system), >>> or enable the security manager which allows an application to do only >>> what you tell it to. While enabling the security manager is the safest >>> thing to do, we didn't quite experiment with this, so we can't provide a >>> good policy file that will allow XWiki to run, you will have to write it >>> yourself; there is a minimal file which allows XWiki to start under the >>> security manager, but it isn't tested on more than viewing a page (see >>> http://jira.xwiki.org/jira/browse/XWIKI-348). If you want to play around >>> with this policy file until you determine the minimum safe set of rules, >>> then you won't have anything to worry about on the system security. >>> >>> The second part is a bit trickier, as it depends a lot on how you manage >>> users and their rights. If you only grant view and edit rights to people >>> you trust, then there shouldn't be any risks. If you open the wiki for >>> public registration and public editing, then you will have the problem >>> any wiki has: anyone can alter the data. This is where the >>> administrator(s) are needed: managing users and their roles/rights. A >>> pretty good thing is that XWiki has versioning, so you can always revert >>> a document to a previous version, and a recycle bin, so you can recover >>> deleted documents. >>> >>> Regarding rights, there is a major issue: XWiki has something called the >>> Programming right, something that allows users to go beyond simple >>> editing, as it allows a user to write scripts that can alter all the >>> data in the wiki, or even scripts that can do anything a java program >>> can do (even access the filesystem and send data over the network). This >>> is where the security manager I talked about above is useful, as it >>> restricts what such a script can do on the system. Now, this is >>> something you should take extra care about: it is not a problem unless >>> you make it one. Never let this right be used in the wiki, it is not >>> intended to be granted to normal users but to your "super" >>> administrators, who know how and when to use this access right. This >>> means that you should only use the default Admin account to setup the >>> wiki, then create a normal user for day-to-day editing. >>> >>> So, as a conclusion, XWiki CAN be safe, and it CAN be unsafe, it is only >>> a matter of proper configuration. It does not contain anything >>> inherently unsafe, it is built on a safe platform, with the dangerous >>> things (programming right) locked up by default. >>> >>> Alain M. wrote: >>>> Please, can anyone help me on this matter?? I have waited some time but >>>> didn't get an answer. This is important, any information will help >>>> ------- >>>> >>>> If I install xwiki in a VPS, and leave it running, with a firewall that >>>> leaves open only the port that xwiki is using, >>>> >>>> Could it be atacked by a hacker to gain access to the server? >>>> >>>> Do I need some extra protection? Is there a security tutorial? >>>> >> _______________________________________________ >> users mailing list >> [email protected] >> http://lists.xwiki.org/mailman/listinfo/users >> > > > _______________________________________________ > users mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/users > > _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
