Question

• TWiki version: Latest
• Perl version: Red Hat Perl
• Web server & version: Apache
• Server OS: Red Hat 7.2
• Web browser & version:
• Client OS:

I am going to deploy a version of TWiki on the public internet and my hosting people have asked me to check up on the vunerability of the perl code. Sounds like an odd question to me, but does any one else run Twiki in public who has checked the Twiki code.

How do you at TWiki.org protect yourselves from dodgy scipts?

Thanks

-- MartinRoberts - 11 Mar 2003

Answer

TWiki's Perl code is reasonably good, I think, compared to many CGI Perl scripts (see Google:nms+matt+archive for details of a rewrite of one popular set of security-holed scripts). See TaintChecking for some discussion - TWiki tries quite hard and has had various holes fixed, but I'm sure it can be improved as always. I have a public site at http://donkin.org btw.

For your ISP's purposes, I think they want to make sure that TWiki is not a 'dodgy script'. TWiki should be OK, but it sounds like they don't have an suexec-type SecureSetup, meaning that your files may be vulnerable to other people's CGI scripts, buggy or not. I'd recommend backups, and looking through TWikiOnWebHostingSites if you have the flexibility to choose another hosting site. I use Dreamhost who have a good security setup and are quite easy to install TWiki on.

-- RichardDonkin - 11 Mar 2003

Thanks.