[pmwiki-users] Conceptual challenges from ZAPwiki...

Ben Wilson dausha at gmail.com
Fri Jun 1 06:10:47 CDT 2007


On 5/31/07, The Editor <editor at fast.st> wrote:
> Just wanted to post a follow up regarding the initial beta release of ZAPwiki.

Dan, et al. I'm generally a charitable fellow who likes everybody to
get along. ZAPWiki is the exception to my rule. First, Dan is clearly
adverting an alternative solution---a rival product. Second, he's
suggesting that his expertise and approach is so radical that Pm
should consider incorporating its design. Third, the code sucks and
his design allows _any_ user to subvert the system. Having helped a
non-profit survive a spam hacker who owned their server for several
months, I can tell you that the exploits in this code would allow my
toddler to own ZAPWiki.

Having looked at your "barn," I can say I'm quite shocked at how much
you need to learn about programming. You have multiple functions, all
of which take no input but immediately incorporate a global variable,
process that variable, then return that variable.

You freely inject raw user data into HTML pages, which violates quite
a few security standards. (You even use the code to change the
$_GET['action']) Your code assumes a trusting user, which is like
putting the keys on the top of your Bentley in Harlem at 9p on a
Friday night and returning on Monday to expect the car to still be
there.

What makes this more disturbing is that one of those raw user
variables used during your setup is used to write your index.php:

	$index = "<?php\n\n\$ZAPadmin='$_POST[admin]';\n\ninclude_once('../barn/engine.php');";
	savePage('index.php', $index, $field . '/');

This is insane. You think the single quotes do some good, but this
allows me to write my own program within your program. Heck, it would
be more fun to write a program that would allow me to completely
overwrite your index.php at will with a user submitted post. Something
like:

$_POST['admin'] =<<<MALCODE
';
if ($_REQUEST['badboy'] = 'naughty') {
// Evil Keneval bad code uploading form, which takes a user uploaded
file. Oh, make user 'badboy' is 'nasty'.
}
elseif ($_REQUEST['badboy'] = 'nasty') {
$index = "<?php\n\n$_REQUEST['badcode']";
	savePage('index.php', $index, $field . '/');
}
MALCODE;

Since you've been misguided enough to let the web server have write
access to index.php, then you deserve the fruits of your labors. The
'badcode' could easily be a suite of spam software that spawns a rash
of spam each time somebody _visits_ your site. With this, I can write
my own back door and change that door at will.

As far as using a text editor to edit raw wiki text, that's easily
possible with PmWiki, as demonstrated by Cookbook:Pywe and the Pmwe
tool. Heck, all you need to do is write a simple wrapper that knows
how to wrap/unwrap the raw wiki file and inject your nifty text. It's
not like PmWiki uses a super-secret algorithm to make things
difficult. In fact, PmWiki's page storage system is _almost_ like
JSON.

I had a friend who bought a house from the guy who built it himself.
The original owner was not a building contractor, so the house was a
handyman special. When he bought the house, he had the option to have
the home inspected for $150. He chose to waive the service and paid
$100K for the property. Two years later, there was a small electrical
fire in his daughter's closet. It seems the house had two breaker
boxes. When the state inspector came out to examine the cause, he
asked my friend if he could take a photograph of the breaker box which
caught fire.

"Sure," my friend said.

"Great. I teach electrical work at the local university. I am going to
use this breaker box as a textbook example of how _not_ to wire a box.
Everything that could go wrong in wiring a box went wrong here. Oh,
and because this is bad, you'll have to have all the wiring in your
house completely redone. Your house is condemned until then."

ZAPWiki, meet handyman special.

-- 
Ben Wilson
"Words are the only thing which will last forever" Churchill
"In this case, some words should last less than forever." Ben Wilson



More information about the pmwiki-users mailing list