The following 275 words could not be found in the dictionary of 615 words (including 615 LocalSpellingWords) and are highlighted below:

above   abused   accessible   action   actions   Actions   add   administrator   again   Alias   all   allowed   allows   an   and   another   Apache   appropriate   ascii   asp   assume   Attach   attached   attachment   attachments   Attachments   attacker   attacks   available   be   Be   Because   before   below   between   Box   but   by   can   changes   characters   color   commonhttpd   completed   conf   configuration   configure   contain   copied   default   Denial   described   dictionary   differences   different   difficult   dir   directly   disable   disables   disabling   display   does   doing   download   during   effect   else   enabled   enables   entered   entry   everything   evil   exactly   example   execute   existing   expected   exploit   exploitable   ext   fetching   file   File   filename   filenames   files   Finally   find   following   For   for   from   get   handled   Help   How   how   However   httpd   if   If   image   in   include   installation   installed   instructions   intend   into   invocation   jpg   know   language   languages   leading   leave   let   like   local   location   log   Ls   made   make   making   matches   models   modify   more   move   multiple   must   myorg   mypix   mywiki   mywikiattach   name   need   new   no   non   Note   note   noted   now   of   old   On   on   only   option   or   original   other   own   page   Page   pagename   pages   parsed   path   paths   php   php3   php4   phtml   plan   privately   problems   reason   recommend   red   remotely   remove   Remove   replacing   restart   retrieval   retrieve   retrieved   Review   review   risk   run   running   same   Sand   Script   script   scripts   second   security   Self   servable   serve   served   server   servers   Service   Serving   should   showing   shown   similar   Since   slashes   so   Some   Somepage   statement   statements   step   still   storage   store   stored   structure   stuff   sure   system   tablestyle   take   target   tell   tells   test   that   The   the   their   Then   then   There   there   they   This   this   thus   to   To   trailing   two   Type   Unless   upload   uploaded   uploading   uploads   use   used   users   Using   usually   value   values   verify   via   Warning   we   weaknesses   web   webserver   were   where   which   whose   wikiconfig   with   without   work   you   your   Your  


The AttachFile action enables a page to have multiple attached files. Since file uploads could be abused for DoS (Denial of Service) attacks, AttachFile is an action that may be enabled by the wiki administrator. To do this, add "allowed_actions = ['AttachFile']" to your configuration file.

This is all you usually need to do for configuration.

/!\ Warning: if you make your attachments directly accessible via the web server, you should make sure that the web server does not execute attachments (like .php or .asp or other scripts) uploaded by evil users. If you do not know how to do that, do not configure your installation like described below or you risk making your server remotely exploitable.

How attachments are handled

There are two storage/retrieval models for file attachments:

  1. Attachments are stored "privately" and can only be retrieved via a CGI GET (via URLs like<SomePage>?action=AttachFile&do=get&target=filename.ext).

  2. Attachments are stored into a directory directly accessible by the web server, and can thus be served directly by the webserver, without any invocation of MoinMoin (leading to URLs like<Somepage>/attachments/filename.ext).

The first option is the default; attachments are stored in the "...mywiki/data/pages/" directory, with paths like "...mywiki/data/pages/<pagename>/attachments/<filename>".

The MoinMoin attachments configuration option allows you to move the directory structure used to store attachments to another location. Unless you have a reason for doing so, there is no need to use a different location. Using a different location may be more work and more risk, as all the existing attachments must be copied to the new location. The following instructions are for Apache servers and assume you intend to leave the attachment files in their existing location and your original installation used the name "mywiki".

Serving attachments directly by the web server

  • /!\ Note that this does not work with attachments whose filenames contain non-ascii characters.

  • /!\ Note that we plan to remove that option in 2.0. Because of that and the security problems noted below, we do not recommend that option.

The first step is to tell Apache that it has another Alias directory from which it can serve files. Review the changes you made to the httpd.conf (or commonhttpd.conf) file during the MoinMoin installation and find the ScriptAlias statement similar to the following:

    ScriptAlias /mywiki           ".../mywiki/moin.cgi" 

Create an Alias statement similar to the ScriptAlias statement above, replacing the /mywiki URI with /mywikiattach/ and replacing moin.cgi with data/pages/.

    Alias       /mywikiattach/    ".../mywiki/data/pages/"

Be sure to note the differences in the trailing slashes between the two statements, they must be entered exactly as shown above. If you are making this change to a running system, you must restart Apache to have the change take effect.

The second step is to tell MoinMoin to let Apache do the work of fetching file attachments. To do this, you need to add an attachments option to .../mywiki/ The 'attachment' option is a dictionary of two values:

attachments = {
    'dir': '.../mywiki/data/pages',
    'url': '/mywikiattach',

MoinMoin must still do the work of uploading file attachments. The dir value above tells MoinMoin where to store attachments; note this is the same as the path in the new Apache Alias statement but without the trailing "/". The url value tells MoinMoin how to retrieve the attachments; this matches the URI in the Alias statement but again without the trailing "/".

/!\ Your attached files are now directly servable by Apache. However if you also have PHP (or ASP or any other server parsed language) installed then an attacker can upload a PHP script an then run it to exploit other local weaknesses.

For example, you can disable PHP for the appropriate directory (note that it's difficult to include instructions for disabling all server parsed languages).

<Directory .../mywiki/data/pages/>
    RemoveType .php .php3 .php4 .phtml

/!\ This only disables php stuff - you have to add everything else on your own!

After you have completed the configuration changes, test by uploading an attachment for WikiSandBox. Then modify the WikiSandBox page to display the uploaded image or download the file. If there were existing attachments before this change, verify the old attachments are still available. Finally, review the Apache access.log file to verify you have a log entry showing the expected file access:

  • "...GET /mywikiattach/WikiSandBox/attachments/mypix.jpg HTTP/1.1...".