[pmwiki-users] PmWiki security vulnerability (pmwiki-2.1.21 released)

Menachem Shapiro menachem.shapiro at gmail.com
Wed Sep 6 12:11:05 CDT 2006

On 9/5/06, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> 2.  Patch the pmwiki.php code directly.  The vulnerability can be
>     closed via a small change to pmwiki.php.  Near the beginning of
>     the pmwiki.php code, find the lines that read
>     if (ini_get('register_globals'))
>       foreach($_REQUEST as $k=>$v) {
>         if (preg_match('/^(GLOBALS|_SERVER|_GET|_POST|_COOKIE|_FILES|_ENV|_REQUEST|_SESSION)$/i', $k)) exit();
>         unset(${$k});
>       }
>     and change them to read
>     if (ini_get('register_globals'))
>       foreach($_REQUEST as $k=>$v) {
>         if (preg_match('/^(GLOBALS|_SERVER|_GET|_POST|_COOKIE|_FILES|_ENV|_REQUEST|_SESSION|FarmD|WikiDir)$/i', $k)) exit();
>         ${$k}=''; unset(${$k});
>       }

I'm running 2.0.13, and the line in pmwiki.php says:

if (ini_get('register_globals'))
  foreach($_REQUEST as $k=>$v) { unset(${$k}); }

Will updating it to the text quoted above be a problem?

The main reason I haven't updated my wiki to the latest version is
because I haven't had time to go through and figure out all the
changes that will have to be made to my configuration. It would be
cool if the SiteAnalyzer would also be able to tell me what
configuration changes would be necessary to upgrade to the latest
version, including which markup might be deprecated, etc.
It sounds like that is your plan, but I wanted to bring it up, just in
case it wasn't.


More information about the pmwiki-users mailing list