[pmwiki-devel] Real vulnerability?

Petko Yotov 5ko at free.fr
Sun May 9 19:00:53 CDT 2010


On Monday 10 May 2010 01:50:08, Tegan Dowling wrote :
>  On Sun, May 9, 2010 at 6:45 PM, Petko Yotov <5ko at free.fr> wrote:
> > Indeed, that's a way to insert potentially harmful JavaScripts in the
> > page. I
> > have immediately fixed it and just released version 2.2.16.
> 
> Did that vulnerability exist in all previous versions of PmWiki? 

Yes, it did.

> Am I right
> in thinking that it would not be a problem, in practice, in a wiki that was
> 'locked down' for editing by only a trusted few -- i.e. that one must have
> edit access to at least one page of the site in order to insert the
> malicious code?

You are right, a potential attacker needs to have edit permissions.

Petko



More information about the pmwiki-devel mailing list