[pmwiki-users] concerning GroupAttributes a potential security risk

Swift, Chris Chris.Swift at eu.dodea.edu
Tue Nov 4 04:55:48 CST 2008 

Hans,
 
Good point!  Sorry, I should have added this last part, which would make the problem clearer.  Basically, I have the entire set with $DefaultPasswords['attr'] = crypt('secret_password'); as you said, however, I want people to be able to create pages within a group where they can set their own attributes.  That's what complicated things.  So, I first set in Example.GroupAttributes all of them to @nopass, so people can set their own passwords just for that group.  What I didn't realize is that this automatically makes the Example.GroupAttributes page open to anyone, because its within the Example.GroupAttributes range...if that makes sense.  ;-)
 
Anyway, the only way that I could still allow people to set their own attributes within that group (via the Example.GroupAttributes) was to setup an autorestore (maybe to run every 15 seconds or so).  I have already installed autorestore for my wikisandbox page, so that's why I posted the other point before.
 
Do you think the idea of using autorestore for the Example.GroupAttributes is a good method of fixing the problem concerning the openness of Example.GroupAttributes, or do you (or anyone else) recommend a different approach?

Thanks,
 
Chris

________________________________

From: Hans [mailto:design5 at softflow.co.uk]
Sent: Tue 11/4/2008 11:51 AM
To: Swift, Chris
Cc: PmWiki Users
Subject: Re: [pmwiki-users] concerning GroupAttributes a potential security risk



Tuesday, November 4, 2008, 9:18:40 AM, Swift, Chris wrote:

> I'm using the www.pmwiki.org/wiki/Cookbook/AutoRestore
> <http://www.pmwiki.org/wiki/Cookbook/AutoRestore>  (autorestore)
> function, which will automatically restore my example.GroupAttributes
> page, the only issue with that is that someone in the system could
> potentially lock different groups for a few minutes until autorestore
> has made its way back into the system.  If anyone has a better
> suggestion, please let me know.

can you not just prevent meddling of page attributes by setting a
sitewide attr password in config.php?

$DefaultPasswords['attr'] = crypt('secret_password');

http://www.pmwiki.org/wiki/PmWiki/PasswordsAdmin


  ~Hans



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20081104/ba2ee27b/attachment.html

More information about the pmwiki-users mailing list