[pmwiki-users] ZAP security vulnerability...
Hans
design5 at softflow.co.uk
Thu May 3 14:41:42 CDT 2007
Thursday, May 3, 2007, 8:26:10 PM, The Editor wrote:
> One question is given the above assumptions, should I by default allow
> forms to post data to the same page without a special unlock step.
> (Seems to me Fox made this choice).
I am just mulling over this choice, and suspect it is no good.
As we seen, it is enough to include a form into a page by having it
added to the GroupFooter for instance. Then someone can post to the
page, even if it was protected.
It always comes to the same point:
The target page for posting content needs to carry a mark, an
attribute or a string, which will make it a legitimate posting target.
Or the admin can expand this by giving permission for posting to other
pages (for instance via a page pattern array).
> And what about having an
> automatically approved auth list--maybe groups like forum, blog, and
> comments or something (Fox has also done this). A malicious user
> could impose text on those pages, but with no commands or targets for
> those pages could not do much damage.
For Fox it was an attempt to make it easier setting up comment pages.
But I did not have feedback on this. I guess there are many ways of
creating comment pages, tied to a document page. So maybe it is better
to leave it blank. But I would be curious to hear others about this.
~Hans
More information about the pmwiki-users
mailing list