[pmwiki-users] Why all this zapping?

The Editor editor at fast.st
Tue May 1 12:53:09 CDT 2007


On 5/1/07, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> On Tue, May 01, 2007 at 12:08:23PM -0400, The Editor wrote:
> > On 5/1/07, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> > >I'm saying that if ZAP is enabled _anywhere_ on a site that allows
> > >_any_ editing by an untrusted user, then the untrusted user
> > >can use ZAP to modify any other page on the site, and likely
> > >obtain the contents of otherwise read-protected pages.
> >
> > How could they do that?  If ZAP is not enabled any ZAP form a person
> > created would do absolutely nothing.
>
> I'll set up a demonstration site that illustrates it.  It'll
> take just a bit of time as I want to clearly document it
> so there's no question as to what I'm saying.

Better still show me how to fix it.  : )  Also for the benefit of
those using ZAP it might be best to not document whatever workaround
you use to achieve this on the mail list.

> > It might be possible with the {(sectionlist)} markup cause that
> > doesn't require a form submission, [...]
>
> I'm talking about the zap.php file I downloaded yesterday
> from the ZAP sites.  I'm not using anything but the core
> ZAP markups.

ZAP core without the ZAP toolbox, is fairly tame, but I'm looking
forward to your demonstration, as well as suggested fix.

> > >> Also about the source markup expression...  If a page is blocked for
> > >> reading, is it automatically blocked for source?
> > >
> > >PmWiki doesn't have anything called 'source' permissions.  I think
> > >you're confusing permissions here with ?action=source, and the
> > >default permissions for ?action=source are indeed 'read' permission.
> > >This is controlled by the setting of $HandleAuth['source']
> > >(which defaults to 'read', meaning that read permissions are
> > >required to view a page's source via ?action=source).
> >
> > Well, I may have expressed myself unclearly but you can check if a
> > person has access to view the source of a page with this code you gave
> > me (it works!)
> >
> >       if (! CondAuth($p, $HandleAuth['source'])) return '';
> >
> > My question was if a page was read protected but the source action was
> > not blocked, could a person by pass the read permissions this way?
>
> You don't seem to have fully grokked my answer.
>
> The thing that controls ?action=source is $HandleAuth['source'],
> which defaults to 'read' permission.  Thus, placing a read password
> on a page automatically blocks ?action=source for anyone who
> doesn't have read permissions (unless the admin changes the
> setting of $HandleAuth['source']).
>
> For the conditional you've given above, $HandleAuth['source']
> evaluates to 'read', thus it's equivalent to executing
>
>     if (! CondAuth($p, 'read')) return '';
>
> This says to return an empty string if the visitor hasn't established
> read permissions to the page given by $p.

That's cool.  I guess that one at least is ok.  I definitely
appreciate your attention to ZAP to help ensure it's the very best
software piece it can be.

Cheers,
Dan



More information about the pmwiki-users mailing list