[pmwiki-users] commentbox security risk

Hans design at softflow.co.uk
Sun Jan 8 09:52:16 CST 2006


This affects commentbox.php, commentboxstyled.php and also
Simple Forum which uses commentboxstyled.php:

It has come to my attention that the commentbox scripts pose a certain
security risk on sites which are generally protected from public
access.

Used on edit-protected pages, groups or sites the commentbox makes it
possible for anyone to post comments, messages etc, which can be
looked at as a nice feature. But the script code opens the door
to edit any page, by adding ?action=comment to the url.

My advice for anyone using it on a site which is edit protected
as a whole or part is:
* use it with caution by loading it only for the page or group
for which it is needed, using a local/Group.Page.php or
Group.php customisation to include the script for only those page(s).
And to be sure to monitor such pages well, for any unwanted edits.

I just uploaded an update for commentboxstyled.php which adds an extra
security check function.

This checks if markup (:commentbox:) or (:commentboxchrono:) exists
on the page or the GroupFooter or GroupHeader, before proceeding with
handling the page edit. Thus it prevents that it can be misused on
edit protected sites to edit other pages (unless such markup appears
on them).

I also added an $EnableBypassAuth switch by which this feature of
commentbox to bypass the normal Auth function of pmwiki can be easily
disabled.

- I also added a div for the date head and changed the default
layout of the entries slightly.

-- 
Best regards,
 Hans                          






More information about the pmwiki-users mailing list