[Pmwiki-users] Re: Default Passwords
Patrick R. Michaud
pmichaud
Thu Dec 16 20:16:08 CST 2004
On Thu, Dec 16, 2004 at 10:18:45PM +0000, Hans Bracker wrote:
>
> So pmwiki ships with some hidden group attribute passwords set for Main
> and PmWiki groups. Removing the * from passwdattr=* in GroupAttributes
> raw text unlocks the group attributes.
Yes, but you can also remove the attr password by setting the attr password
to "clear" in the ?action=attr form. (If your response to that is "okay,
but how can I use ?action=attr if the attr password is locked, the
answer is to use the admin password. :-)
> Since GroupAttributes is a page normally with no content, but acting
> as a container for the group passwords it is still possible to edit
> the page (if edit password is not set or I know the edit password) and
> delete it the normal way, entering "delete" and saving the page.
OOOOOPS! I knew this particular vulnerability existed but never got
around to fixing it.
> ... Is there a way to make GroupAttributes more secure?
Sure, the solution I had in mind was to simply say that "attr"
privileges are required in order to delete a page instead of just
"edit" privileges.
Pm
More information about the pmwiki-users
mailing list