[pmwiki-users] Security/information leak in PmWIki

Patrick R. Michaud pmichaud at pobox.com
Thu Feb 17 13:18:24 CST 2005


On Thu, Feb 17, 2005 at 01:22:12PM -0500, Neil Herber wrote:
> 1) If I search for "/", PmWiki gladly displays the group name and the name 
> of all the pages it contains. Names like Private.Budget seem to attract 
> attention.
> 2) By using various search terms, I can glean some information from the 
> supposedly private pages. For example, if I search for "Project X" and get 
> a hit on the page "Private.Budget", that implies some discussion of the 
> project in the budget.

Remove the Private group from searches, by adding:

   $SearchPatterns['default'][] = '!^Private\.!';
   $SearchPatterns['all'][] = '!^Private\.!';
   $SearchPatterns['normal'][] = '!^Private\.!';

> 3) The AllRecentChanges page exposes all of the editing activity in the 
> Private group.

In local/Private.php, add

   unset($RecentChangesFmt['Main.AllRecentChanges']);

> So the $64 question is, how can I have a truly private group within an 
> existing PmWiki? Or do I have to create another field in my farm for truly 
> private info and protect it with yet another layer of basic authentication?

No, you don't have to go to the trouble of a separate field.  OTOH, 
there's no telling what other features or recipes might be inadvertently 
exposing data from the Private group.  But we can certainly make efforts
to identify them and lock them down.

Pm



More information about the pmwiki-users mailing list