[Pmwiki-users] Re: Default Passwords

Patrick R. Michaud pmichaud
Thu Dec 16 20:16:08 CST 2004

On Thu, Dec 16, 2004 at 10:18:45PM +0000, Hans Bracker wrote:
> So pmwiki ships with some hidden group attribute passwords set for Main
> and PmWiki groups. Removing the * from passwdattr=* in GroupAttributes
> raw text unlocks the group attributes.

Yes, but you can also remove the attr password by setting the attr password 
to "clear" in the ?action=attr form.  (If your response to that is "okay,
but how can I use ?action=attr if the attr password is locked, the
answer is to use the admin password. :-)

> Since GroupAttributes is a page normally with no content, but acting
> as a container for the group passwords it is still possible to edit
> the page (if edit password is not set or I know the edit password) and
> delete it the normal way, entering "delete" and saving the page. 

OOOOOPS!  I knew this particular vulnerability existed but never got
around to fixing it.  

> ... Is there a way to make GroupAttributes more secure?

Sure, the solution I had in mind was to simply say that "attr"
privileges are required in order to delete a page instead of just
"edit" privileges.  


More information about the pmwiki-users mailing list