sandy at onebit.ca
Tue May 3 12:35:11 CDT 2011
Is this confirmed, both that one way has the hole and the other doesn't?
Near as I can tell, you're setting the same parameters either way, so
I'd expect the results to be the same.
Or are there other things that should be done when changing those
variables? If so, is there a function that can be called from config.php
that will do all the housekeeping?
If it is possible to see and (:include:) file which you don't have
access to, and access was set properly, then it's a bug.
On 5/2/2011 2:22 PM, Peter Bowers wrote:
> Randy pointed out (below) a serious security hole that I've been
> inadvertently leaving on my sites every since I started doing that
> config.php-only type of password-setting that I suggested above. If I
> am viewing a group for which I have read permission I can then
> (:include:) a page for which I do *not* have read permission.
More information about the pmwiki-users