[pmwiki-users] Security/information leak in PmWIki
nospam at mail.eton.ca
Thu Feb 17 12:22:12 CST 2005
Before too many alarm bells go off, this is not a problem that will affect
many admins, but it does affect me.
I am running a password protected PmWiki for a client. All users are
granted access via Apache basic authentication. This morning I created a
group called "Private" which will be used to store information that only my
direct client and I can access (I assigned a read password to the group).
However, some of the other facilities in PmWiki leak information about the
1) If I search for "/", PmWiki gladly displays the group name and the name
of all the pages it contains. Names like Private.Budget seem to attract
2) By using various search terms, I can glean some information from the
supposedly private pages. For example, if I search for "Project X" and get
a hit on the page "Private.Budget", that implies some discussion of the
project in the budget.
3) The AllRecentChanges page exposes all of the editing activity in the
So the $64 question is, how can I have a truly private group within an
existing PmWiki? Or do I have to create another field in my farm for truly
private info and protect it with yet another layer of basic authentication?
Corporate info at http://www.eton.ca/
Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
Tel: (613) 829-4668
More information about the pmwiki-users