[pmwiki-users] Custom PageVariables from request strings: critical vulnerability

Petko Yotov 5ko at 5ko.fr
Sun Feb 28 03:28:10 CST 2016

No, htmlspecialchars() is not vulnerable per se, what is vulnerable is 
that the string you store in a $FmtPV variable will be evaluated and run 
by PmWiki as PHP code. So it is a bad idea to store in that variable 
things that other people wrote on the wiki or in the web forms, or in 
the URL address -- $FmtPV was never intended to be used this way.

Instead of {$PageVar} you can use in your forms {$$RequestVars} for 
example in pagelists: these are not vulnerable, you don't need to do 
anything. Or, for needs other than pagelists/searches, the recipe 
"HttpVariables" provides access to request strings without evaliating 

Even if you sanitize the stings, a future PHP upgrade may include a new 
way to compromize the site. So, don't evaluate random strings. :-)


On 2016-02-27 12:58, Oliver Betz wrote:
> Petko Yotov wrote 2015-12-19:
>> This message concerns you if your wiki creates custom page variables
>> which get their values from request strings like the URL address of 
>> the
>> page.
>> The previously documented recommended way to sanitize such values can
>> allow PHP code injection in some cases.
>> The following is very insecure:
>>   $FmtPV['$Var'] = $_REQUEST['Var']; # insecure
>>   $FmtPV['$Var'] = '"'. addslashes($_REQUEST['Var']).'"'; # insecure
> is htmlspecialchars vulnerable?

More information about the pmwiki-users mailing list