[pmwiki-users] concerning GroupAttributes a potential security risk

Swift, Chris Chris.Swift at eu.dodea.edu
Tue Nov 4 07:30:37 CST 2008


Thanks for your response. 

I don't have my site in front of me (nor have access to it), however,
whenever I put that markup ?action=attr, then it brought me to the Group
Attributes page, which means that if I put for example @lock, then it
locks the entire group.

That's where the problem is.  Also, the website has the entire
attributes locked down, so that's why I needed to set the
GroupAttributes part.



-----Original Message-----
From: fast4god at gmail.com [mailto:fast4god at gmail.com] On Behalf Of The
Sent: Tuesday, November 04, 2008 1:54 PM
To: Hans
Cc: Swift, Chris; PmWiki Users
Subject: Re: [pmwiki-users] concerning GroupAttributes a potential
security risk

On Tue, Nov 4, 2008 at 6:29 AM, Hans <design5 at softflow.co.uk> wrote:
> Tuesday, November 4, 2008, 10:55:48 AM, Swift, Chris wrote:
>> Do you think the idea of using autorestore for the 
>> Example.GroupAttributes is a good method of fixing the problem 
>> concerning the openness of Example.GroupAttributes, or do you (or 
>> anyone else) recommend a different approach?
> Well it may prevent someone permanently locking the group.
> But really one would want to lock the GroupAttributes page, so that 
> only the admin can change attributes of it.
> I don't know how to do this.
> I hope Patrick has an answer for this.

Don't you just set the attributes for the attributes page itself.
Just go to group.attr&action=attr or something like that. Then you can't
change the attr for that group without knowing the password.

It's been a while since I've done this so I may not recall the exact
syntax properly, but I think this may be correct.  I'm sure it's in the
docs--how to set the attributes for a specific page.


More information about the pmwiki-users mailing list