-I've audited this module and it is massively insecure by default. ikiwiki
-uses it in one of the few secure ways; by forcing it to write to a
-directory it controls (and not /tmp) and by setting a umask that makes the
-file not be world readable.
+_(Unless otherwise noted, these were discovered and immediatey fixed by the ikiwiki developers.)_
+
+## destination directory file replacement
+
+Any file in the destination directory that is a valid page filename can be
+replaced, even if it was not originally rendered from a page. For example,
+ikiwiki.cgi could be edited in the wiki, and it would write out a
+replacement. File permission is preseved. Yipes!
+
+This was fixed by making ikiwiki check if the file it's writing to exists;
+if it does then it has to be a file that it's aware of creating before, or
+it will refuse to create it.
+
+Still, this sort of attack is something to keep in mind.