[pmwiki-announce] Custom PageVariables from request strings: critical vulnerability

Petko Yotov 5ko at 5ko.fr
Sat Dec 19 11:24:25 CST 2015


This message concerns you if your wiki creates custom page variables 
which get their values from request strings like the URL address of the 

The previously documented recommended way to sanitize such values can 
allow PHP code injection in some cases.

The following is very insecure:

   $FmtPV['$Var'] = $_REQUEST['Var']; # insecure
   $FmtPV['$Var'] = '"'. addslashes($_REQUEST['Var']).'"'; # insecure

While the first way was known to be insecure, the second way was 
recommended, but unfortunately a new vulnerability exploiting it was 
reported to me 2 hours ago.

If your wiki uses such custom variables, it is highly recommended to 
disable your custom $FmtPV definitions and to install the recipe 
HttpVariables which does not allow the input strings to be evaluated by 
the PHP engine:


If you need any assistance you can contact me.


Change log     :  http://www.pmwiki.org/wiki/PmWiki/ChangeLog
Release notes  :  http://www.pmwiki.org/wiki/PmWiki/ReleaseNotes
If you upgrade :  http://www.pmwiki.org/wiki/PmWiki/Upgrades

More information about the pmwiki-announce mailing list