[pmwiki-users] ZAP security vulnerability...
The Editor
editor at fast.st
Thu May 3 14:26:10 CDT 2007
I about have the mechanism in place to tighten down that hatches in
ZAP as tight (I hope) as one could want--but the question may become
how much is too much.
In particular I have a system in place by which I must manually unlock
any function that has any kind of risk potential, and manually set a
unique target page (or group) before any form can write to a page as
well. A bit onerous but worth it if it solves our problems.
One question is given the above assumptions, should I by default allow
forms to post data to the same page without a special unlock step.
(Seems to me Fox made this choice). And what about having an
automatically approved auth list--maybe groups like forum, blog, and
comments or something (Fox has also done this). A malicious user
could impose text on those pages, but with no commands or targets for
those pages could not do much damage.
Thinking out loud--and looking for a recommendation... I want to
combine security against the really smart folks out there like
Pm--while maintaining as much ease of use as possible (for the simple
folks, like me)...
Cheers,
Dan
More information about the pmwiki-users
mailing list