[pmwiki-users] ZAP Permissions and Includes

The Editor editor at fast.st
Thu Oct 12 17:42:56 CDT 2006


On the ZAP forum I was asked about whether the following lines in a
config file would keep someone from including a Data page into another
page, and thus being able to see the stuff you are trying to protect.
(Pardon my slashes).

$pagename = ResolvePageName($pagename); if (substr($pagename !=
\"ZAP-\") $DefaultPasswords[\'read\'] = \'id:*\'; else
$DefaultPasswords[\'read\'] = \'id:AdminName\';
$DefaultPasswords[\'edit\'] = \'id:AdminName\';
$DefaultPasswords[\'admin\'] = \'id:AdminName\';

uhh, how about this:

$pagename = ResolvePageName($pagename); if (substr($pagename != "ZAP-")
     $DefaultPasswords['read'] = 'id:*';
else $DefaultPasswords['read'] = 'id:AdminName';
$DefaultPasswords['edit'] = 'id:AdminName';
$DefaultPasswords['admin'] = 'id:AdminName';

After checking... I discovered this was a vulnerability if the protect
features is not used to disable directives...

Maybe it needs to be worked the other way. All pages are not readable,
and then if a page is not a ZAP- page you reset the permissions to
nopass or id or whatever.  Thoughts?

The other option (of course) is to disable directives using the ZAP
protect feature. Thanks for pointing this out Crisses.

Now about those slashes...

Cheers
Caveman




More information about the pmwiki-users mailing list