[pmwiki-users] Re: Security/information leak in PmWIki

V.Krishn mistyfire at autograf.pl
Sun Feb 20 07:44:21 CST 2005


On Friday 18 February 2005 02:44, Neil Herber wrote:
>
>
> 1) If I search for "/", PmWiki gladly displays the group name and the name
> of all the pages it contains. Names like Private.Budget seem to attract
> attention.
>
Not only "/", just by simply hitting search the full wiki-pages structure is 
displayed.
  Consider this on a site having more than 4000 wiki pages. Does PmWiki has 
some kind of check/limitation to display such essentially not desirable 
feature. (Both Security-Wise as well as waste of Bandwidth ?

  My suggestion would be that SearchBox should have a Minimum of "Three" 
characters to show the search result.
> 2) By using various search terms, I can glean some information from the
> supposedly private pages. For example, if I search for "Project X" and get
> a hit on the page "Private.Budget", that implies some discussion of the
> project in the budget.
>
> 3) The AllRecentChanges page exposes all of the editing activity in the
> Private group.
>
> So the $64 question is, how can I have a truly private group within an
> existing PmWiki? Or do I have to create another field in my farm for truly
> private info and protect it with yet another layer of basic authentication?
>
 Great to have brought this question again. Though 
http://www.pmwiki.org/wiki/Cookbook/SearchResults (last Updated "October 20, 
2004") has some answers but the subsequent discussion in this thread 
certainly shows that this page needs serious attention

> This did not work .... but this did:
> 
>     if (strncmp($pagename, 'Private', 7) != 0) {
> 
> I have no idea why.   :-/

>>...because the group+page separator can be either a dot or a slash, and
>>with $EnablePathInfo=1; it will tend to be a slash instead of a dot.
>>I should probably adjust the code to automatically convert any slashes
>>in $pagename to dots.
>>The above will work except that any group beginning with 'Private'
>>(e.g., 'PrivateRyan') will see the Private.* pages in result listings.

I think this brings back Niel's question on Security/Information to 
Square-One.

Another Suggestion would be to create an Array Variable/s, that can be valued 
in config.php eg.
$SearchExcludePages =  { Private , Profile.Krishn , Personal; }
OR 2 varialbles $SearchExcludeGroups and $SearchExcludePages
....this would then exclude these pages in normal search result but would show 
from within respective excluded $Groups or $Groups.Name

V.Krishn



More information about the pmwiki-users mailing list