[pmwiki-devel] Real vulnerability?

Hans design5 at softflow.co.uk
Mon May 10 04:04:46 CDT 2010


Monday, May 10, 2010, 12:50:08 AM, Tegan wrote:

> Am I right in thinking that it would not be a problem, in practice,
> in a wiki that was 'locked down' for editing by only a trusted few
> -- i.e. that one must have edit access to at least one page of the
> site in order to insert the malicious code?

Apart from having edit permissions users may be able to post content
via add-ons like CommentBox. Posting simple table markup as part of a
comment may well be possible. So I think it would be prudent to
upgrade any wiki which uses recipes to enable user content input
of any kind (comment forms, other forms, calendar event input etc).


Hans




More information about the pmwiki-devel mailing list