[pmwiki-devel] PITS/01030

Petko Yotov 5ko at 5ko.fr
Thu Jun 26 03:49:08 CDT 2008


On Thursday 26 June 2008 10:14:16 Hans wrote:
> Thursday, June 26, 2008, 9:00:35 AM, Petko wrote:
> > There is no "is_admin()" function in PmWiki, and I cannot see any way an
> > attacker could execute any other existing function with this form, that
> > is why I asked for a real example.
>
> I think demonstrating a javascript injection as has been provided is
> a 'real' enough example. We don't want to see any really harmful code
> here!
>
> That someone can construct links in a wiki which may cause a script
> injection __is__ the vulnerability. Generally PmWiki is not allowing
> arbitrary javascript (or other script) to be inserted into wiki pages,
> because it is by concept an open space.

Hans,

The example suggested by DaveG was PHP code injection, not JavaScript code 
injection. PHP means that PmWiki executes a code (function is_admin() or 
another) server-side which is really really dangerous, but has not yet be 
proven possible.

Thanks,
Petko



More information about the pmwiki-devel mailing list