Question

Hello everybody,

how i have to enable the use of php in the topics? I know that it is a security hole, but i just want use it.

Don't hesitate to answer.

Environment

-- MichaelWeber - 20 Dec 2006

Answer

If you answer a question - or have a question you asked answered by someone - please remember to edit the page and set the status to answered. The status is in a drop-down list below the edit box.

One way is to upload a .php file to a topic, and set up Apache to execute the .php file on request in /pub dir (instead of offering it for download).

To have the php file "executed" inside a TWiki topic, you could use a <iframe> tag or similar.

-- SteffenPoulsen - 20 Dec 2006

Hi Steffen,

thx for the early reply. Its work incredible.

-- MichaelWeber - 21 Dec 2006

Sounds like a security nightmare, to me...

-- KeithHelfrich - 22 Dec 2006

Indeed - there was a TWikiSecurity alert on this, see SecurityAlertSecureFileUploads. I would suggest enabling PHP only on TWiki sites where every use of TWiki is authenticated (to avoid missing out on authenticating any operations by mistake), and there is no TWikiGuest userid. Just to spell this out - since PHP runs on the server, by enabling PHP within topics you are allowing users to run their own software on the server. Only advisable if you really trust the people using your TWiki, and authenticate them properly, etc.

-- RichardDonkin - 25 Dec 2006

Hello everybody,

i know, that running php is a security nightmare. Therefore i use the authentication in order to control the use of php. The advise is good and fits perfectly.

-- MichaelWeber - 27 Dec 2006

Just to make a point on how insecure this is: Anyone will be able upload a script that circumvents the TWiki permissions. Any topic can be read, users could even manipulate topics, e.g. add themselfs to the TWikiAdminGroup etc.

-- PeterThoeny - 28 Dec 2006