Security

DokuWiki is a web application and is often used on public servers, reachable from the Internet. This means it is at a greater risk to be attacked by malicious people than for example a local application on your desktop system.

DokuWiki is developed with security in mind. We try to find a balance between user friendliness and security, but favor security when no satisfying compromise can be found.

This page should give you an overview on what aspects you should have an eye on to make sure your DokuWiki is secure.

When you discover a security issue in DokuWiki, please notify us. The preferred ways to do so are:

• Submit a bug report
• Send a mail to the mailinglist
• Send a private mail to andi [at] splitbrain [dot] org

The first two ways should be preferred except for very serious bugs where making the bug public before a patch is available could endanger DokuWiki installations world wide.

All previous security issues can be seen in the bugtracking system.

Depending on the severity of a found security issue it will be fixed in a future release (on very minor issues) or a bugfix release will be made. In the latter case users will be informed through the update check mechanism.

You should always run the most current release of DokuWiki as there are no security fixes released for older versions.

DokuWiki stores configuration and page data in files. These files should never be accessible directly from the web. The distribution tarball contains a set of .htaccess files which usually tell the Apache web server to deny access to certain directories.

If you don't use the Apache web server or your Apache does not use .htaccess files you need to manually secure your installation

The following directories should not be accessible from the web:

• data
• conf
• bin
• inc (isn't dangerous when accessible, though)

To check if you need to adjust the access permissions try to access http://yourserver.com/dokuwiki/data/pages/wiki/dokuwiki.txt. You should not get access to that file this way.

If your directories are not properly secured, read the following subsections on how to do that.

The simplest way is to enable .htaccess support in your Apache configuration. Please see the Apache .htaccess Tutorial.

Access to the mentioned directories can be disabled in IIS' configuration settings.

1. Open the configuration tool: Start → Settings → Control Panel → Administrative Tools → Internet Information Services
2. Navigate to the directory you want to protect: Local Computer → Web Sites → Default Web Site → path to directory
3. Right-Click the folder and chose Properties → Directory Security → IP address and domain name restrictions → Edit…
4. Choose “By default, all computers will be: Denied access”

The most secure way to avoid any access to the mentioned directories is to move them outside the so called “Document Root” of your Webserver.

1. Move the data directory (and all its contents) out of the document root
2. Edit the savedir setting to point to the new location of the data directory.

For example, if the data directory is moved to /home/yourname/data, add the following line to conf/local.php:

$conf['savedir'] = '/home/yourname/data/';

1. Move the conf directory (and all its contents) out of the document root
2. Create a file named preload.php inside the inc directory and set the DOKU_CONF define to the new location of the conf directory.

For example, if the conf directory is moved to /home/yourname/conf, create the following inc/preload.php:

inc/preload.php

<?php
 
define('DOKU_CONF','/home/yourname/conf/');

The bin directory contains CLI tools. If you don't have shell access on your server anyway you can simply delete the directory and its contents. Otherwise just move it out of the document root. No further configuration needed.

There is currently no easy way to move this directory out of the document root. But since it doesn't contain any sensitive data it isn't worth the effort to try anyway.

DokuWiki contains several configuration settings that have an impact on various security aspect of the installation. Please refer to the documentation of each setting to learn what they do and what suggested settings are.

• allowdebug – disabling debugging output to avoid system information leakage
• fmode, dmode – set the file permissions of DokuWiki created files, also read info on setting up permissions
• fetchsize – configure caching of external data
• fullpath – showing full path names for pages
• all authentication settings
• usewordblock – prevent spam through a blacklist
• mailguard – avoid mail address harvesting robots
• iexssprotect – protect against a XSS problem within Internet Explorer
• htmlok – enable HTML
• phpok – enable PHP
• hidepages – hide certain pages from indexes and search
• safemodehack – work around safe mode restrictions

DokuWiki has lots of community contributed plugins. Plugins add new functionality to DokuWiki by adding new code. This means the code has practically any access to your server. Additionally plugins are distributed separately from DokuWiki in an entirely ad-hoc manner. They are not subject to the same degree of attention and review that the core DokuWiki code base gets. So security precautions are necessary before installing a plugin.

Here are some tips to help you with choosing the plugins you install.

• If you can, review the plugin source code yourself, before installing it.
• If in doubt, ask on the mailing list.
• Plugins are installed under the DokuWiki lib directory, which is directly accessible from the outside. Review what a plugin contains and lock down access with .htaccess files as appropriate.
• Plugins are authored by developers not directly related to the DokuWiki project - they may be inexperienced, have malicious intent or may host the plugin source code on a server that has been compromised. Be careful whom you trust!
• Review the plugin page for mentioned security warnings and upgrade the plugin when new releases become available.

Here are a few more internal and external pages related to security.

• Setting up Access Controls
• Force login via HTTPS
• PHP Configuration for DokuWiki
• Remove ACL rules for deleted pages
• Apache Security - Chapter 3: Locking down PHP.