[pmwiki-users] Re: Security/information leak in PmWIki
V.Krishn
mistyfire at autograf.pl
Sun Feb 20 07:44:21 CST 2005
On Friday 18 February 2005 02:44, Neil Herber wrote:
>
>
> 1) If I search for "/", PmWiki gladly displays the group name and the name
> of all the pages it contains. Names like Private.Budget seem to attract
> attention.
>
Not only "/", just by simply hitting search the full wiki-pages structure is
displayed.
Consider this on a site having more than 4000 wiki pages. Does PmWiki has
some kind of check/limitation to display such essentially not desirable
feature. (Both Security-Wise as well as waste of Bandwidth ?
My suggestion would be that SearchBox should have a Minimum of "Three"
characters to show the search result.
> 2) By using various search terms, I can glean some information from the
> supposedly private pages. For example, if I search for "Project X" and get
> a hit on the page "Private.Budget", that implies some discussion of the
> project in the budget.
>
> 3) The AllRecentChanges page exposes all of the editing activity in the
> Private group.
>
> So the $64 question is, how can I have a truly private group within an
> existing PmWiki? Or do I have to create another field in my farm for truly
> private info and protect it with yet another layer of basic authentication?
>
Great to have brought this question again. Though
http://www.pmwiki.org/wiki/Cookbook/SearchResults (last Updated "October 20,
2004") has some answers but the subsequent discussion in this thread
certainly shows that this page needs serious attention
> This did not work .... but this did:
>
> if (strncmp($pagename, 'Private', 7) != 0) {
>
> I have no idea why. :-/
>>...because the group+page separator can be either a dot or a slash, and
>>with $EnablePathInfo=1; it will tend to be a slash instead of a dot.
>>I should probably adjust the code to automatically convert any slashes
>>in $pagename to dots.
>>The above will work except that any group beginning with 'Private'
>>(e.g., 'PrivateRyan') will see the Private.* pages in result listings.
I think this brings back Niel's question on Security/Information to
Square-One.
Another Suggestion would be to create an Array Variable/s, that can be valued
in config.php eg.
$SearchExcludePages = { Private , Profile.Krishn , Personal; }
OR 2 varialbles $SearchExcludeGroups and $SearchExcludePages
....this would then exclude these pages in normal search result but would show
from within respective excluded $Groups or $Groups.Name
V.Krishn
More information about the pmwiki-users
mailing list