[pmwiki-users] Security/information leak in PmWIki

Neil Herber nospam at mail.eton.ca
Thu Feb 17 15:15:42 CST 2005


At 2005-02-17  01:51 PM -0600, Patrick R. Michaud is rumored to have said:
> > >   $SearchPatterns['default'][] = '!^Private\.!';
> > >   $SearchPatterns['all'][] = '!^Private\.!';
> > >   $SearchPatterns['normal'][] = '!^Private\.!';
>  ..... snip ...
>Yes, the search killers need to be global (local/config.php in the field)
>to be effective.

One unexpected side effect of this code is that the (:pagelist:) markup no 
longer lists the Private pages. That is fine outside the Private group, but 
it would be convenient if it worked inside the Private group. Not a show 
stopper, and much better than having the names exposed.

At first I thought there was a far bigger leak provided by the (:include:) 
directive because  (:include Private.Budgets:) displayed the entire budget 
page. However, it only displays if the user already has read permission. 
Without read permission, nothing shows up from the included page. Well done!


Neil

Neil Herber
Corporate info at http://www.eton.ca/
Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
Tel: (613) 829-4668 




More information about the pmwiki-users mailing list