[pmwiki-users] Security issues in Pmwiki and UserAuth2

Patrick R. Michaud pmichaud at pobox.com
Mon Dec 29 00:16:25 CST 2008


[Resending, as earlier attempts didn't seem to make it to pmwiki-users.  --Pm]

On Sun, Dec 28, 2008 at 02:24:29PM +0100, Olle Bergkvist wrote:
> Hello list.
> 
> Some time ago i discovered several security issues, both in PmWiki, and in
> the UserAuth2 recipe. In some of those cases i think the design wasn't
> optimal for security, and in another case it was a very real bug which
> could cause major site ownage. Each time, I tried to contact PM and Thomas
> Pitschel respectively, emailing PM is what I'm supposed to do according to
> http://pmwiki.org/wiki/PmWiki/Security . I sent them messages via Freenode
> as well. But nope, I have not yet received any reply.

Olle and others-

I can't vouch at all for the UserAuth2 recipe -- I've never been
enamored of the UserAuth recipes; that's why PmWiki provides
AuthUser in the distribution.  If there's a problem with the UserAuth2
recipe, the best bet is to contact the author/maintainer of that recipe,
and if they're non-responsive (as appears to be the case here),
then I'd suggest (1) placing a warning on the cookbook page
and/or (2) taking over the recipe and fixing it so it no longer has
a security bug.

I checked through my personal archives to see if there was a security
bug report from Olle specifically dealing with PmWiki (as opposed to 
the UserAuth2 recipe), and couldn't find one.  If I've simply
overlooked that message or it got lost somewhere, please re-send it.

Pm



More information about the pmwiki-users mailing list