[pmwiki-users] ZAP security vulnerability...
Patrick R. Michaud
pmichaud at pobox.com
Tue May 1 18:05:39 CDT 2007
On Tue, May 01, 2007 at 06:26:37PM -0400, The Editor wrote:
> Pm has been kind enough to study the ZAP code and found a serious
> security vulnerability. We are still looking for a solution.
>
> Basically the problem is in PmWiki's ability to impose page content
> from an editable page onto a page that is not editable and load that
> page as if it were in the source code. You could argue this is a
> PmWiki vulnerability, (which allow users to insert a ZAPform onto a
> page they cannot edit) but regardless it will need to be fixed.
Yes, you could argue this is a PmWiki vulnerability.... but
you'd be wrong. :-)
Here PmWiki is functioning exactly as it has been designed to
function, and the features that the ZAP exploit uses do not, on their
own, impose any security risks to sites not running ZAP. It's only
when coupled with a recipe that allows page modifications >>outside
of PmWiki's normal edit authorizations<< that the potential for
problems occurs.
Indeed, the features that the exploit is using are arguably
some of the most popular features in PmWiki at the moment:
(:include:) templates
pagelist templates
page text variables
group header, group footer
<!--wiki: .... --> in skin templates
sidebars, page actions, etc.
So, unless we want to try to "fix" all of these features, I don't
think we can consider the problem a PmWiki vulnerability. Instead,
it appears to be a mistaken assumption on ZAP's part about being
able to rely on rendered markup (which can come from many sources)
to authenticate write access outside of the normal page permission
structure.
Pm
More information about the pmwiki-users
mailing list