[pmwiki-devel] Security issues: Disabling action=source & action=diff?
crisses at kinhost.org
Tue Dec 5 08:36:05 CST 2006
Now that some recipes are possibly storing data invisibly in the
PmWiki source of a page, should we have a standard "disable public
view of source" (and history?) option in the config.php file?
I note that I can look at cookbook stuff on PmWiki.org, and the "see
it in action at..." then even if I can't edit to view the example
source, I can type &action=source into the browser, and there it is....
[A closed edit site, close to my heart :) ] http://eclectictech.net/?
Obviously I'm doing it from the PmWiki developer point of view, out
of a curiosity of "How can I improve my sites?" and "How did they DO!
that?" but others may do it from the "How can I hack sites?" point of
view, so I would think some people would want to (or NEED to) limit
others viewing PmWiki source code.
I think this should be listed somewhere in a list of items that new
installs should review for security purposes. I'm seeing people
"just installing" PmWiki without knowing that their site is
vulnerable to vandals, for example. Maybe a pointer to an
installation review checklist should be on the Installation page?
Yeah, yeah, "that sounds like the voice of a volunteer" ;) I'd be
glad to kick it off, but either tell or remind me how to disable
these actions --> can we tie them in to authentication levels? Like
you can only view source if you can edit the page?
Then I can start off a link from the Installation instructions to a
page of "Recommended security procedures" (a list of items with brief
descriptions) that then link to relevant information for
implementation on each item.
Anyone against this? For it? Want to help? Want to do it instead? :)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the pmwiki-devel