[pmwiki-users] ZAP Security Fix Released...

The Editor editor at fast.st
Fri May 4 15:12:22 CDT 2007


The new version of ZAP is just released, and a strongly recommended
upgrade. Features:

1). A more systematic block of the Query Fmt attack Pm demonstrated.
2). No longer able to post to Site pages without a config variable being reset.
3). A complete Command & Target wiki-based config system that allows
you to have extreme fine-tuned control over which pages can do what to
what pages.

Note: Closed sites, or sites using Ben's suggestion for closed
ZAPfields can bypass #3 by simply not creating the corresponding
security config pages.

Other fixes/features:

1) Completely reworked the messaging system to make it easy to
override any default system message in a form or on a Site Config
page. Very flexible.
2) Fixed the anchor/thread conflict.
3) Read permission checking was added to the templating engine
4) The SectionList command is now included in the ZAPtoolbox.
5) Added in-code comments to much of the ZAP core module

I just uploaded to ZAPsite (version: May 5, 2007) and have begun
documenting the changes--but won't have time to finish till probably
early next week. I haven't noticed any broken forms except one or two
advanced ones involving messaging--so it should be a mostly pain free
upgrade. Please report bugs if found as this was a pretty significant
rework of the code under a very intense time pressures.

My apologies to the PmWiki community for not at least taking a few
more precautions with ZAP. I never would have guessed you could do
with PmWiki what Pm did, but I should have taken some extra safety
measures--just to be on the safe side.

Upgrades are encouraged. Feedback and comments welcome.  Pm, if you
wouldn't mind verifying these changes block the attacks you
demonstrated. Unfortunately I'm not at a place to easily reproduce
your attack.

Cheers,
Dan



More information about the pmwiki-users mailing list