[pmwiki-users] pmwiki exploit

Patrick R. Michaud pmichaud at pobox.com
Tue Sep 5 09:32:33 CDT 2006

On Tue, Sep 05, 2006 at 04:13:36PM +0200, Joachim Durchholz wrote:
> Simone Rota schrieb:
> > A pmwiki exploit is reported here:
> > 
> > http://isc.sans.org/diary.php?storyid=1672
> > 
> > it appears only to affect systems with register_globals on
> The bad news is that the people who're exploiting this are also trying 
> to exploit kernel vulnerabilities and gain root access.
> The good news (beyond the register_globals hack) is that it isn't 
> reported for PmWiki above 2.1.19.

Well, since as of 24 hours ago PmWiki 2.1.19 was the latest version
(and is vulnerable), that's not really saying much.  :-)

> The problem is that it's a single report, which is based on anonymous 
> sources, so it could be a red herring. If it's a valid alarm, it doesn't 
> give details about the actual security holes involved, so fixing them 
> could take more effort and time than usual.

It's a valid alarm, I've been able to duplicate the vulnerability on
my systems in the 2.1.20 release.  2.1.21 should definitively close it.
(But again, for sites with register_globals disabled, it's already

> 1) Disable register_globals where I can,
> 2) upgrade to PmWiki-latest (2.1.21) where I cannot, and
> 3) disable PmWiki on those servers that really, really need to be
>     secure, until PM comes around with a fuller analysis of the
>     situation.

Totally agreed.  A fuller analysis is forthcoming.  In fact,
it's very likely that I'll be creating a "site analysis tool"
on pmwiki.org that people can use to analyze their site for
potential vulnerabilities and setting improvements.


More information about the pmwiki-users mailing list