[pmwiki-users] ZAP security vulnerability...

Hans design5 at softflow.co.uk
Thu May 3 14:53:37 CDT 2007


Thursday, May 3, 2007, 8:41:42 PM, Hans wrote:

> I am just mulling over this choice, and suspect it is no good.
> As we seen, it is enough to include a form into a page by having it
> added to the GroupFooter for instance. Then someone can post to the
> page, even if it was protected.

Hmm, I just tested this: put a fox form into the GroupFooter, have no
special posting permission set for the page. Fox could not post to the
page it was included in. I added a (:foxappend :) markup to the page,
and Fox can now post to it.

So it seems okay to have a string check for the presence of the form
markup, in order to allow posting to the page the form is on.
But there may be many occasions where this is not desirable.


  ~Hans




More information about the pmwiki-users mailing list