[pmwiki-devel] ZAP farms: a modest proposal for security

The Editor editor at fast.st
Thu May 3 13:30:18 CDT 2007


On 5/3/07, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> On Thu, May 03, 2007 at 12:05:50PM -0500, Patrick R. Michaud wrote:
> > On Thu, May 03, 2007 at 11:02:26AM -0500, Ben Stallings wrote:
> > > I got to thinking yesterday about the ZAP vulnerability, both the
> > > exploit Pm has demonstrated fully and the one he's alluded mysteriously
> > > to as a homework assignment for Dan.  ;-)
> >
> > Dan and I have since corresponded off-list on the 'homework assignment'.
> > I'll post the answer in a followup thread.
>
> Actually, I started to post the answer but then decided that doing
> so might be a bit irresponsible at this point.
>
> So, mail me off-list if you want to know the answers.


No worries. I think I've discovered your second exploit, and now that
I'm beginning to understand what I'm looking for, have found one or
two other possible ones I've also blocked (along basically the same
lines). I've recently rewritten ZAP to block all these exploits though
of course this is not saying there might not be still be others. I'll
post a full report on my homework assignment just as soon as I have
the fix ready for release.

The delay this time, is that I want the fix to be more comprehensive,
so I'll be revamping the entire security system--or at least adding
two more levels of protection. (Not to mention revamping the messaging
system and solving the anchor/thread problem). Anyway, now I've got
some bugs in my fix that need "zapping".

So please be patient all, I'll give a full report soon.  Thanks Pm for
the education.  We'll get ZAP locked properly, or at least better,
soon...

Cheers,
Dan



More information about the pmwiki-devel mailing list