[pmwiki-devel] Real vulnerability?
Petko Yotov
5ko at free.fr
Sun May 9 19:00:53 CDT 2010
On Monday 10 May 2010 01:50:08, Tegan Dowling wrote :
> On Sun, May 9, 2010 at 6:45 PM, Petko Yotov <5ko at free.fr> wrote:
> > Indeed, that's a way to insert potentially harmful JavaScripts in the
> > page. I
> > have immediately fixed it and just released version 2.2.16.
>
> Did that vulnerability exist in all previous versions of PmWiki?
Yes, it did.
> Am I right
> in thinking that it would not be a problem, in practice, in a wiki that was
> 'locked down' for editing by only a trusted few -- i.e. that one must have
> edit access to at least one page of the site in order to insert the
> malicious code?
You are right, a potential attacker needs to have edit permissions.
Petko
More information about the pmwiki-devel
mailing list