[pmwiki-users] pmwiki-2.0.beta29 out, needs testers and feedback

Crisses crisses at kinhost.org
Wed Apr 13 08:23:20 CDT 2005


On Apr 12, 2005, at 9:42 PM, Patrick R. Michaud wrote:

> On Tue, Apr 12, 2005 at 08:56:04PM -0400, Crisses wrote:
>>
>> On Apr 12, 2005, at 12:55 AM, Patrick R. Michaud wrote:
>>
>>> User-based authentication can completely coexist and mix freely with
>>> password-based authentication, thus an edit password of
>>> "id:alice glorp" will allow Alice and anyone who knows the
>>> password "glorp" to edit the page.
>>
>> Does this mean that if a password is "alice" and a username is "alice"
>> both will be able to see the page?
>
> No, not really (at least not as I interpret your question).  When user
> authentication is active the "password required" prompt will have both
> a name field and a password field.  An author that enters "alice" in 
> the
> username field (along with Alice's password) would have access to
> all pages with "id:alice" authorization.  An author that enters
> "alice" in the password field would gain access to all pages with
> "alice" set as a password.
>
>> This represents a hazard if users are allowed to create passwords.
>
> I'm not sure I see the hazard you're envisioning, so let me know.  :-)

The question is:

if the page has "edit id:alice" set as the permission and

username="joe", password="alice"
and
username="alice", password="gobbldygook"

will both users access the page with the access set to id="alice"


If this is true, and a malicious-user saw pages edited by user id 
"alice" and wanted to try to get in to pages that user "alice" is 
authorized for, they could attempt changing their password to "alice" 
to see if they could gain access to pages.

If we specify whether the permission is password=alice versus 
user=alice, that prevents this problem.  In your example -- "id:alice 
glorp"  there is no distinction that alice is a user and glorp is a 
password.  Username "glorp" can access the page, and password "alice" 
can access the page.

Crisses
-- 
Is misery made beautiful right before our eyes?
Mercy be revealed, or blind us where we stand.
Will we burn in Heaven like we do down here?
Will the change come while we're waiting?
Everyone is waiting.
   -Sarah McLachlan (Witness)




More information about the pmwiki-users mailing list