[pmwiki-users] Security/information leak in PmWIki
Nils Knappmeier
nk at knappi.org
Sun Feb 20 14:56:48 CST 2005
Patrick R. Michaud wrote:
>On Thu, Feb 17, 2005 at 01:22:12PM -0500, Neil Herber wrote:
>
>
>>1) If I search for "/", PmWiki gladly displays the group name and the name
>>of all the pages it contains. Names like Private.Budget seem to attract
>>attention.
>>2) By using various search terms, I can glean some information from the
>>supposedly private pages. For example, if I search for "Project X" and get
>>a hit on the page "Private.Budget", that implies some discussion of the
>>project in the budget.
>>
>>
>
>Remove the Private group from searches, by adding:
>
> $SearchPatterns['default'][] = '!^Private\.!';
> $SearchPatterns['all'][] = '!^Private\.!';
> $SearchPatterns['normal'][] = '!^Private\.!';
>
>
Wouldn't it be better to use RetrieveAuthPage instead of ReadPage to
open the pages for a search?
That way, the user would only get the pages that he is allowed to see.
Nils
>
>
>>3) The AllRecentChanges page exposes all of the editing activity in the
>>Private group.
>>
>>
>
>In local/Private.php, add
>
> unset($RecentChangesFmt['Main.AllRecentChanges']);
>
>
>
>>So the $64 question is, how can I have a truly private group within an
>>existing PmWiki? Or do I have to create another field in my farm for truly
>>private info and protect it with yet another layer of basic authentication?
>>
>>
>
>No, you don't have to go to the trouble of a separate field. OTOH,
>there's no telling what other features or recipes might be inadvertently
>exposing data from the Private group. But we can certainly make efforts
>to identify them and lock them down.
>
>Pm
>_______________________________________________
>pmwiki-users mailing list
>pmwiki-users at pmichaud.com
>http://pmichaud.com/mailman/listinfo/pmwiki-users
>
>
>
More information about the pmwiki-users
mailing list