[Moin-user] MoinMoin used for porn spam publication

Jean-Philippe Guérard jean-philippe.guerard at tigreraye.org
Wed May 9 16:39:49 EDT 2007


Le 2007-05-09 15:59:56 -0400, Jim Popovitch écrivait :
> On Wed, 2007-05-09 at 21:47 +0200, Jean-Philippe Guérard wrote:
> > I think this is an important issue that should be dealt with.
> > 
> >  - Is there any way to deal with this better than I did?
> 
> Would you run a public facing upload'able FTP site?   I doubt it.  Why
> do you run a wiki that allows anyone to post anything at will?

That's a good point.

This was a closed site (write access limited to a specific group of 
users) that was opened (write access limited to known users) later on, 
without taking this aspect into account.

> >  - Is there any upcoming security evolution to fix this?
> 
> There already is, look at using ACLs to limit who does what on your
> wiki.  Moin is not responsible for securing your site, you are. ;-)

We are already using ACLs. But:

 - There is no ACL defined to limit adding attachments. Write access 
   gives you both the right to add attachments (if attachments are 
   enabled) and to write text. Either you forbid attachment to 
   everybody, either you enable attachment to all users with write 
   access.
   
 - The subscription feature act as an audit tool for the text being
   written. If somebody writes something that's not acceptable, I'm 
   notified (as I'm subscribed to the whole wiki), and I can revert the 
   page. There is no such audit tool for attachments.

Thanks.

-- 
Jean-Philippe Guérard
http://tigreraye.org





More information about the Moin-user mailing list