design5 at softflow.co.uk
Thu Jun 26 03:14:16 CDT 2008
Thursday, June 26, 2008, 9:00:35 AM, Petko wrote:
> There is no "is_admin()" function in PmWiki, and I cannot see any way an
> attacker could execute any other existing function with this form, that is
> why I asked for a real example.
a 'real' enough example. We don't want to see any really harmful code
That someone can construct links in a wiki which may cause a script
injection __is__ the vulnerability. Generally PmWiki is not allowing
because it is by concept an open space.
More information about the pmwiki-devel