[pmwiki-users] read password information leak
Neil Herber
nospam at mail.eton.ca
Mon Mar 7 12:31:47 CST 2005
At 2005-03-07 12:14 PM -0600, Patrick R. Michaud is rumored to have said:
>On Mon, Mar 07, 2005 at 12:58:52PM -0500, Neil Herber wrote:
> > At 2005-03-07 11:51 AM -0600, Patrick R. Michaud is rumored to have said:
> > >On Mon, Mar 07, 2005 at 12:29:47PM -0500, Neil Herber wrote:
> > >> The read password does not appear to suppress protected pagenames or
> > >> groupnames for "action=refcount".
> > >
> > How can I restrict the refcount action to me alone? Note that I have been
> > logged in via Apache .htpasswd, so I suspect I need something like the
> > following in local/config.php:
> >
> > if (@$_SERVER['REMOTE_USER'] == 'Neil' ... (magical PHP code
> > added here)
>
>Replace your existing include of refcount.php with:
>
> if (@$_SERVER['REMOTE_USER'] == 'Neil')
> include_once('scripts/refcount.php');
>
> > All wand-waving appreciated.
>
>*wave* :-)
>
> > Or is it possible to have a farm wide "refcount action" password as there
> > can be for other actions? That might be a cleaner solution.
>
> if ($action == 'refcount' && RetrieveAuthPage($pagename, 'admin'))
> include_once('scripts/refcount.php');
>
>Pm
Further wand-waving is required, because the first solution works, but the
second does not.
I am not sure what RetrieveAuthPage($pagename, 'admin') is doing and
whether I should be changing 'admin' to some other value. If I leave it as
is, I get a password request page that rejects all passwords.
My actual code in farmconfig.php is:
if ($action == 'refcount' && RetrieveAuthPage($pagename, 'admin'))
include_once("$FarmD/scripts/refcount.php");
Neil
Neil Herber
Corporate info at http://www.eton.ca/
Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
Tel: (613) 829-4668
More information about the pmwiki-users
mailing list