[pmwiki-users] read password information leak

Neil Herber nospam at mail.eton.ca
Mon Mar 7 12:31:47 CST 2005


At 2005-03-07  12:14 PM -0600, Patrick R. Michaud is rumored to have said:
>On Mon, Mar 07, 2005 at 12:58:52PM -0500, Neil Herber wrote:
> > At 2005-03-07  11:51 AM -0600, Patrick R. Michaud is rumored to have said:
> > >On Mon, Mar 07, 2005 at 12:29:47PM -0500, Neil Herber wrote:
> > >> The read password does not appear to suppress protected pagenames or
> > >> groupnames for "action=refcount".
> > >
> > How can I restrict the refcount action to me alone? Note that I have been
> > logged in via Apache .htpasswd, so I suspect I need something like the
> > following in local/config.php:
> >
> >            if (@$_SERVER['REMOTE_USER'] == 'Neil'  ... (magical PHP code
> > added here)
>
>Replace your existing include of refcount.php with:
>
>    if (@$_SERVER['REMOTE_USER'] == 'Neil')
>      include_once('scripts/refcount.php');
>
> > All wand-waving appreciated.
>
>*wave*  :-)
>
> > Or is it possible to have a farm wide "refcount action" password as there
> > can be for other actions? That might be a cleaner solution.
>
>   if ($action == 'refcount' && RetrieveAuthPage($pagename, 'admin'))
>     include_once('scripts/refcount.php');
>
>Pm

Further wand-waving is required, because the first solution works, but the 
second does not.

I am not sure what RetrieveAuthPage($pagename, 'admin') is doing and 
whether I should be changing 'admin' to some other value. If I leave it as 
is, I get a password request page that rejects all passwords.

My actual code in farmconfig.php is:

         if ($action == 'refcount' && RetrieveAuthPage($pagename, 'admin')) 
include_once("$FarmD/scripts/refcount.php");



Neil

Neil Herber
Corporate info at http://www.eton.ca/
Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
Tel: (613) 829-4668 




More information about the pmwiki-users mailing list