[pmwiki-users] Why all this zapping?
Patrick R. Michaud
pmichaud at pobox.com
Tue May 1 13:02:56 CDT 2007
On Tue, May 01, 2007 at 01:53:09PM -0400, The Editor wrote:
> On 5/1/07, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> >On Tue, May 01, 2007 at 12:08:23PM -0400, The Editor wrote:
> >> On 5/1/07, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> >> >I'm saying that if ZAP is enabled _anywhere_ on a site that allows
> >> >_any_ editing by an untrusted user, then the untrusted user
> >> >can use ZAP to modify any other page on the site, and likely
> >> >obtain the contents of otherwise read-protected pages.
> >>
> >> How could they do that? If ZAP is not enabled any ZAP form a person
> >> created would do absolutely nothing.
> >
> >I'll set up a demonstration site that illustrates it. It'll
> >take just a bit of time as I want to clearly document it
> >so there's no question as to what I'm saying.
>
> Better still show me how to fix it. : )
I don't have a solid "fix". You'll probably be able to close
off the specific attack I'm using, but the underlying risk
that another hole is available to exploited will still be there.
In fact, the whole reason why it has taken me so long (months!)
to come up with a forms processing system of my own is because
I don't think it's safe to assume that _all_ editors on a site
can be trusted. If I could make that assumption, then my version
of forms-processing would've been ready last Fall, if not sooner.
> Also for the benefit of
> those using ZAP it might be best to not document whatever workaround
> you use to achieve this on the mail list.
Fair enough. Anyone who wants the address to the description of
the exploit, just let me know and I'll send it off-list when it's
ready.
Pm
More information about the pmwiki-users
mailing list