[pmwiki-users] Security issues in Pmwiki and UserAuth2

Olle Bergkvist ollebe at student.chalmers.se
Sun Dec 28 07:24:29 CST 2008


Hello list.

Some time ago i discovered several security issues, both in PmWiki, and in
the UserAuth2 recipe. In some of those cases i think the design wasn't
optimal for security, and in another case it was a very real bug which
could cause major site ownage. Each time, I tried to contact PM and Thomas
Pitschel respectively, emailing PM is what I'm supposed to do according to
http://pmwiki.org/wiki/PmWiki/Security . I sent them messages via Freenode
as well. But nope, I have not yet received any reply.

I don't believe in pulic disclosure of security vulnerabilities. That
creates unnecessary risks for site admins who are slow to update their
installations. But when the project maintainers don't seem to listen to
me, what am I supposed to do? I want the code to be fixed ASAP, if the
bugs are worth taking seriously. And feedback from the maintainers even if
it's just false alarm. I have fixed the issues on _my_ server, i just want
to help improve PmWiki's security for _other_ users. Public disclosure
wont do that.

Once again, PM and Thomas, please read the emails i've sent you.

Thanks.

//Olle Bergkvist





More information about the pmwiki-users mailing list