[pmwiki-users] ZAP security vulnerability...

The Editor editor at fast.st
Thu May 3 14:26:10 CDT 2007


I about have the mechanism in place to tighten down that hatches in
ZAP as tight (I hope) as one could want--but the question may become
how much is too much.

In particular I have a system in place by which I must manually unlock
any function that has any kind of risk potential, and manually set a
unique target page (or group) before any form can write to a page as
well. A bit onerous but worth it if it solves our problems.

One question is given the above assumptions, should I by default allow
forms to post data to the same page without a special unlock step.
(Seems to me Fox made this choice).  And what about having an
automatically approved auth list--maybe groups like forum, blog, and
comments or something (Fox has also done this).  A malicious user
could impose text on those pages, but with no commands or targets for
those pages could not do much damage.

Thinking out loud--and looking for a recommendation...  I want to
combine security against the really smart folks out there like
Pm--while maintaining as much ease of use as possible (for the simple
folks, like me)...

Cheers,
Dan



More information about the pmwiki-users mailing list