[pmwiki-devel] PITS/01030
Hans
design5 at softflow.co.uk
Thu Jun 26 03:14:16 CDT 2008
Thursday, June 26, 2008, 9:00:35 AM, Petko wrote:
> There is no "is_admin()" function in PmWiki, and I cannot see any way an
> attacker could execute any other existing function with this form, that is
> why I asked for a real example.
I think demonstrating a javascript injection as has been provided is
a 'real' enough example. We don't want to see any really harmful code
here!
That someone can construct links in a wiki which may cause a script
injection __is__ the vulnerability. Generally PmWiki is not allowing
arbitrary javascript (or other script) to be inserted into wiki pages,
because it is by concept an open space.
Hans
More information about the pmwiki-devel
mailing list