[pmwiki-devel] ZAP farms: a modest proposal for security

[Ben Stallings]

I got to thinking yesterday about the ZAP vulnerability, both the 
exploit Pm has demonstrated fully and the one he's alluded mysteriously 
to as a homework assignment for Dan.  ;-)

It occurs to me that Dan has been operating from the start on the 
assumption that ZAP will be used on sites that do not allow anyone to 
edit pages without logging in; indeed that ZAP will *be* the way that 
members of the general public edit pages, and traditional wiki editing 
will be reserved for admins and trusted friends.  I've followed the same 
assumption, so I believe the sites I've built with ZAP are not 
susceptible to the exploit.  (I'd rather not put that to the test, 
though, thanks.)

Pm is coming from the assumption that the wiki's edit function is open 
to anyone, at least somewhere on the site (e.g. the WikiSandbox), and 
that all page edits, without exception, pass through that function and 
its accompanying safeguards.  From his perspective, this is the way 
wikis ought to be, and he may well be right about that in the long run, 
once he finds a way to process forms.  ;-)  Apologies if I've misstated 
either philosophy.

Both of these philosophies seem to work very well and be reasonably 
secure on their own, but the problem is that the underlying, 
incompatible assumptions were *unstated* and so have been allowed to 
coexist, and as we've seen, scary things can then happen.

So here's my question: would any of these exploits -- including the ones 
only mysteriously alluded to -- be possible if ZAP were only installed 
on a wiki farm field, separate from the publicly-editable part of the 
wiki?  If not, it seems like a wiki could safely use both editing 
philosophies by isolating each from the other in its own farm field. 
Part of the site would use the wiki's edit function exclusively, and the 
other part would use ZAP exclusively as its public face, and they could 
share a skin and otherwise be unobtrusively integrated with each other.

I realize doing something like this would stretch the definition of a 
recipe, but Acme/ZAP has already done that by supplanting the wiki's 
editing function.  If it should turn out to be the case that the two 
editing functions cannot coexist securely, then putting ZAP in its own 
farm field could allow admins to have the best of both worlds.

Just a thought.  If there's another feature of PmWiki that allows 
unauthenticated users to use pages from other farm fields as templates 
to display whatever content they choose, now would be a good time to say 
so!  ;-)  --Ben