5ko at 5ko.fr
Thu Jun 26 03:49:08 CDT 2008
On Thursday 26 June 2008 10:14:16 Hans wrote:
> Thursday, June 26, 2008, 9:00:35 AM, Petko wrote:
> > There is no "is_admin()" function in PmWiki, and I cannot see any way an
> > attacker could execute any other existing function with this form, that
> > is why I asked for a real example.
> a 'real' enough example. We don't want to see any really harmful code
> That someone can construct links in a wiki which may cause a script
> injection __is__ the vulnerability. Generally PmWiki is not allowing
> because it is by concept an open space.
injection. PHP means that PmWiki executes a code (function is_admin() or
another) server-side which is really really dangerous, but has not yet be
More information about the pmwiki-devel