[pmwiki-users] Custom PageVariables from request strings: critical vulnerability

DaveG pmwiki at solidgone.com
Sun Feb 28 10:57:51 CST 2016

On 2/28/2016 4:28 AM, Petko Yotov wrote:
> No, htmlspecialchars() is not vulnerable per se, what is vulnerable is
> that the string you store in a $FmtPV variable will be evaluated and run
> by PmWiki as PHP code. So it is a bad idea to store in that variable
> things that other people wrote on the wiki or in the web forms, or in
> the URL address -- $FmtPV was never intended to be used this way.
> Instead of {$PageVar} you can use in your forms {$$RequestVars} for
> example in pagelists: these are not vulnerable, you don't need to do
> anything. Or, for needs other than pagelists/searches, the recipe
> "HttpVariables" provides access to request strings without evaliating them.
> Even if you sanitize the stings, a future PHP upgrade may include a new
> way to compromize the site. So, don't evaluate random strings. :-)
Ah, so it's the act of storing user input into $FmtPV which is the 
problem. This helps clarify the problem. Initially it appeared that 
assigning $_REQUEST to any variable was the issue.

More information about the pmwiki-users mailing list