[pmwiki-devel] Security issues: Disabling action=source & action=diff?
The Editor
editor at fast.st
Tue Dec 5 09:54:40 CST 2006
In the ZAP recipe, the default recommended configuration setup
includes this line:
$HandleAuth['source'] ='admin';
It's also discussed some in the security writeup for that recipe.
Cheers,
Caveman
PS. Is there a need to block the diff action? It only shows output,
not source, correct?
On 12/5/06, Dominique Faure <dominique.faure at gmail.com> wrote:
> On 12/5/06, Crisses <crisses at kinhost.org> wrote:
> >
> > Now that some recipes are possibly storing data invisibly in the PmWiki
> > source of a page, should we have a standard "disable public view of source"
> > (and history?) option in the config.php file?
> >
> > I note that I can look at cookbook stuff on PmWiki.org, and the "see it in
> > action at..." then even if I can't edit to view the example source, I can
> > type &action=source into the browser, and there it is....
> >
> > [A closed edit site, close to my heart :) ]
> > http://eclectictech.net/?action=source
> >
> > Obviously I'm doing it from the PmWiki developer point of view, out of a
> > curiosity of "How can I improve my sites?" and "How did they DO! that?" but
> > others may do it from the "How can I hack sites?" point of view, so I would
> > think some people would want to (or NEED to) limit others viewing PmWiki
> > source code.
> >
> > I think this should be listed somewhere in a list of items that new installs
> > should review for security purposes. I'm seeing people "just installing"
> > PmWiki without knowing that their site is vulnerable to vandals, for
> > example. Maybe a pointer to an installation review checklist should be on
> > the Installation page?
> >
> > Yeah, yeah, "that sounds like the voice of a volunteer" ;) I'd be glad to
> > kick it off, but either tell or remind me how to disable these actions -->
> > can we tie them in to authentication levels? Like you can only view source
> > if you can edit the page?
> >
> > Then I can start off a link from the Installation instructions to a page of
> > "Recommended security procedures" (a list of items with brief descriptions)
> > that then link to relevant information for implementation on each item.
> >
> > Anyone against this? For it? Want to help? Want to do it instead? :)
> >
> >
>
> The basic site protection I could suggest would be to synch
> 'action=source' or 'action=diff' with 'action=edit' auth level:
>
> $HandleAuth['diff'] = $HandleAuth['source'] = 'edit';
>
> As simple as that,
> Dom
>
> _______________________________________________
> pmwiki-devel mailing list
> pmwiki-devel at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-devel
>
More information about the pmwiki-devel
mailing list