Differences

This shows you the differences between two versions of the page.

--- security [2021-09-29 17:18] – major cleanup andi
+++ security [2024-02-13 09:17] (current) – undo 178.197.202.230
@@ Line 11: / Line 11: @@
 When you discover a security issue in DokuWiki, please notify us. The preferred ways to do so are:
+  * Report through [[https://www.huntr.dev/repos/splitbrain/dokuwiki|huntr.dev]]
   * Submit a [[bugs|bug report]]
   * Send a mail to the [[mailinglist]]
@@ Line 17: / Line 18: @@
 The first two ways should be preferred except for very serious bugs where making the bug public before a patch is available could endanger DokuWiki installations world wide.
-Previous security issues can be seen in the [[https://github.com/splitbrain/dokuwiki/issues?q=label%3ASecurity+|bugtracking system]].
+Previous security issues can be seen in the [[https://github.com/dokuwiki/dokuwiki/issues?q=label%3ASecurity+|bugtracking system]].
 Depending on the severity of a found security issue it will be fixed in a future release (on very minor issues) or a bugfix release will be made. In the latter case users will be informed through the [[update check]] mechanism.
@@ Line 163: / Line 164: @@
 ==== Deny Directory Access in Lighttpd ====
-Using a [[[[https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModRewrite||URL re-write]] you can deny access to the above directories. In your /etc/lighttpd/lighttpd.conf file adding the following URL rewrite rule should be sufficient to keep people out. It supposes your Dokuwiki files are installed under http://yourwebsite.tld/dokuwiki/.
+Using a [[https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModRewrite||URL re-write]] you can deny access to the above directories. In your /etc/lighttpd/lighttpd.conf file adding the following URL rewrite rule should be sufficient to keep people out. It supposes your Dokuwiki files are installed under http://yourwebsite.tld/dokuwiki/.
   url.rewrite-once = ( "^/dokuwiki/(data|conf|bin|inc|vendor)/+." => "/nonexistentfolder" )
 Don't forget to uncomment or add “mod_rewrite” in the server.modules section of /etc/lighttpd/lighttpd.conf. It should look like this:
@@ Line 185: / Line 186: @@
 Access to aforementioned directories can be disabled in DokuWiki server section of Nginx configuration file.
-In your nginx.conf file add the following location to prevent access to secure directories.
+In your host configuration file (for example, /etc/nginx/sites-available/default) or nginx.conf file add the following location to prevent access to secure directories.
-//This instruction is slightly misleading. What you should actually edit is the /etc/nginx/sites-available/default file. Remember to first create a backup by issuing cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.bak//
+:!: Make sure that the rule is processed before other rules that control access to certain files.((See this [[https://forum.dokuwiki.org/d/21122-security-warning-persists/9|forum thread]] and [[https://stackoverflow.com/questions/76369813/why-are-my-jpg-and-png-files-accessible-despite-nginx-access-restriction|stackoverflow]]))
-//Or in the virtualhost where you are hosting dokuwiki//
 <code>
@@ Line 289: / Line 289: @@
   * [[config:fullpath]] -- showing full path names for pages
   * all [[auth|authentication settings]]
-  * [[config:usewordblock]] -- prevent spam through a blacklist
+  * [[config:usewordblock]] -- prevent spam through a blocklist
   * [[config:mailguard]] -- avoid mail address harvesting robots
   * [[config:iexssprotect]] -- protect against a XSS problem within Internet Explorer
@@ Line 307: / Line 307: @@
   * If you can, review the plugin source code yourself, //before// installing it.
   * If in doubt, ask on the [[mailinglist|mailing list]].
-  * Plugins are installed under the DokuWiki ''lib'' directory, which is directly accessible from the outside. Review what a plugin contains and lock down access with .htaccess files as appropriate.
+  * Plugins are installed under the DokuWiki ''lib'' directory, which is directly accessible from the outside. Review what a plugin contains and if access is appropriate, plugins shouldn't store sensitive info in their own directory.
   * Plugins are authored by developers not directly related to the DokuWiki project - they may be inexperienced, have malicious intent or may host the plugin source code on a server that has been compromised. Be careful whom you trust!
   * Review the plugin page for mentioned security warnings and upgrade the plugin when new releases become available.
+  * If in doubt, let plugins be reviewed by a professional first. See [[faq:support]].
 See also: [[devel:security#reporting_security_issues|How to report security issues in plugins]]