[pmwiki-users] Upload protection not working

Christopher Cox ccox at endlessnow.com
Tue Jun 7 23:04:35 CDT 2016 

Behold the culprit:

$EnableUploadGroupAuth=1;

That creates the security hole.

On 06/06/2016 08:15 PM, ccox at endlessnow.com wrote:
> I'm going to try a fresh install.  This is in an owned private centos 7 box.
>
> Sent on the new Sprint Network
>
> ----- Reply message -----
> From: "Patrick R. Michaud" <pmichaud at pobox.com>
> To: "ccox at endlessnow.com" <ccox at endlessnow.com>
> Cc: "pmwiki-users" <pmwiki-users at pmichaud.com>
> Subject: [pmwiki-users] Upload protection not working
> Date: Mon, Jun 6, 2016 8:12 PM
>
> I'm a bit stumped.
>
> Grasping at some straws:
>
> 1.  Change the name of "directors.jpg" to something else and see if
> that fixes anything.  (Perhaps the url result itself has been cached
> somewhere?  I've had this happen to me and then spent hours/days trying
> to figure it out, when it turned out my ISP was caching things and
> ignoring cache-control headers.)
>
> 2.  farmconfig.php ?
>
> 3.  Try a different group and page and see if the problem persists ?
>
> 4.  Try a fresh pmwiki.php install, with only the upload-related variables set?
>
> Pm
>
>
> On Mon, Jun 06, 2016 at 06:23:36PM -0500, ccox at endlessnow.com wrote:
>>    If I remove the download parm I get the login page.  I don't have any
>>    other php involved.
>>    Sent on the new Sprint Network
>>    ----- Reply message -----
>>    From: "Patrick R. Michaud" <pmichaud at pobox.com>
>>    To: <ccox at endlessnow.com>
>>    Cc: <pmwiki-users at pmichaud.com>
>>    Subject: [pmwiki-users] Upload protection not working
>>    Date: Mon, Jun 6, 2016 6:14 PM
>>
>> Out of curiosity, what happens if you attempt to access the page
>> via incognito mode or equivalent?  I'm wondering if somehow you're
>> obtaining authorization through another path... e.g., perhaps an
>> admin authorization that has been cached somewhere.
>>
>> Also, what happens if you remove the "?action=download" portion?
>> Do you get something denying immediate access to the Test/Directors
>> page (e.g., an authentication prompt), or do you see the page itself?
>> If the latter, then authorization isn't being blocked for some reason
>> unrelated to uploads/downloads.
>>
>> Lastly, is there anything the Test.php (group config) that might be
>> throwing off the authorization stuff?
>>
>> Pm
>>
>>
>>
>> On Mon, Jun 06, 2016 at 05:46:30PM -0500, ccox at endlessnow.com wrote:
>> > So I stripped out AuthUser as well and set a simple password on page and I
>> > can still get to the attachment using:
>> >
>> > [1]https://www.example.com/Test/Directors?action=download&upname=directors.jpg
>> >
>> > My config.php attached.
>> >
>> >
>> > > I've stripped my config.php down to just my AuthUser ldap stuff.. with per
>> > > page uploads defined and I can get to the attachment even though I don't
>> > > have read permissions for the page.
>> > >
>> > >
>> > > I know it's asking a lot, but is it possible to do a test with AuthUser
>> > > involved?  I'm using ldap but I know that's probably harder to do.
>> > >
>> > > Let me know if you want my config.php (devoid of comments), etc.
>> > >
>> > >
>> > >> It works as expected on pmwiki.org:
>> > >>
>> > >>
>> > >> [2]http://www.pmwiki.org/wiki/TestProtected/TestProtected?action=download&u
>> pname=pmwiki-32.gif
>> > >>
>> > >> If you have per-group uploads and want to protect a file, there is no
>> > >> interest to protect a single page - a visitor can download the file from
>> > >> another, unprotected page. In this case PmWiki will require "read"
>> > >> permissions for the whole group, which you set in
>> > >> GroupAttributes?action=attr.
>> > >>
>> > >> If you have per-page uploads, PmWiki requires "read" permissions for the
>> > >> page.
>> > >>
>> > >> "upload" permissions are only required for people to upload files, not
>> > >> to download them. To download them they need "read" permissions.
>> > >>
>> > >> Petko
>> > >>
>> > >> ---
>> > >> Change log     :  [3]http://www.pmwiki.org/wiki/PmWiki/ChangeLog
>> > >> Release notes  :  [4]http://www.pmwiki.org/wiki/PmWiki/ReleaseNotes
>> > >> If you upgrade :  [5]http://www.pmwiki.org/wiki/PmWiki/Upgrades
>> > >>
>> > >>
>> > >> On 2016-06-06 21:44, ccox at endlessnow.com wrote:
>> > >>> Consider the following url.  I have direct downloads disable and
>> > >>> htaccess
>> > >>> is blocking the uploads area.  So, attachments to get translated like
>> > >>> so:
>> > >>>
>> > >>> [6]https://www.example.com/Test/Directors?action=download&upname=directors
>> .jpg
>> > >>>
>> > >>> However, I have protected read, edit, attr and upload for the page
>> > >>> Test/Directors.. and I can still get to the content.
>> > >>>
>> > >>> Do I have to protect the group instead?  Perhaps I need to go to per
>> > >>> page
>> > >>> uploads? Would that fix things?
>> > >>
>> > >> _______________________________________________
>> > >> pmwiki-users mailing list
>> > >> pmwiki-users at pmichaud.com
>> > >> [7]http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>> > >>
>> > >
>> > >
>> > >
>> > > _______________________________________________
>> > > pmwiki-users mailing list
>> > > pmwiki-users at pmichaud.com
>> > > [8]http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>> > >
>>
>> > $WikiTitle = 'Agora';
>> > $ScriptUrl = '[9]https://'.$_SERVER['HTTP_HOST'];
>> > $PubDirUrl = '[10]https://'.$_SERVER['HTTP_HOST'].'/pmwiki/pub';
>> > $EnablePathInfo = 1;
>> > $PageLogoUrl = "$PubDirUrl/skins/pmwiki/skopos-small.png";
>> > $DefaultPasswords['admin'] = array(pmcrypt('secret'), '@admins');
>> > $HandleAuth['diff'] = 'edit';
>> > $DefaultPasswords['edit'] = 'id:*';
>> > $Author = $AuthId;
>> > include_once("scripts/xlpage-utf-8.php");
>> > $EnableGUIButtons = 1;
>> > include_once("scripts/creole.php");
>> > $EnableUpload = 1;
>> > $DefaultPasswords['upload'] = 'id:*';
>> > $EnableDirectDownload=0;
>> > $EnableUploadGroupAuth=1;
>> > $UploadPrefixFmt = '/$Group/$Name';
>> > $EnablePageListProtect = 1;
>> > if ($action == 'refcount') include_once("scripts/refcount.php");
>> > if ($action == 'rss')  include_once("scripts/feeds.php");  # RSS 2.0
>> > if ($action == 'atom') include_once("scripts/feeds.php");  # Atom 1.0
>> > if ($action == 'dc')   include_once("scripts/feeds.php");  # Dublin Core
>> > if ($action == 'rdf')  include_once("scripts/feeds.php");  # RSS 1.0
>> > $AutoCreate['/^Category\\./'] = array('ctime' => $Now);
>> > Markup("'~", "inline", "/'~(.*?)~'/", "<i>$1</i>");        # '~italic~'
>> > Markup("'*", "inline", "/'\\*(.*?)\\*'/", "<b>$1</b>");    # '*bold*'
>>
>> > _______________________________________________
>> > pmwiki-users mailing list
>> > pmwiki-users at pmichaud.com
>> > [11]http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>>
>> References
>>
>>    1.https://www.example.com/Test/Directors?action=download&upname=directors.jpg
>>    2.http://www.pmwiki.org/wiki/TestProtected/TestProtected?action=download&upname=pmwiki-32.gif
>>    3.http://www.pmwiki.org/wiki/PmWiki/ChangeLog
>>    4.http://www.pmwiki.org/wiki/PmWiki/ReleaseNotes
>>    5.http://www.pmwiki.org/wiki/PmWiki/Upgrades
>>    6.https://www.example.com/Test/Directors?action=download&upname=directors.jpg
>>    7.http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>>    8.http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>>    9.https://'.$_SERVER['HTTP_HOST'];/
>>   10.https://'.$_SERVER['HTTP_HOST'].'/pmwiki/pub';
>>   11.http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>
>> _______________________________________________
>> pmwiki-users mailing list
>> pmwiki-users at pmichaud.com
>>http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>
>
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>

More information about the pmwiki-users mailing list