[pmwiki-users] read password information leak

Neil Herber nospam at mail.eton.ca
Mon Mar 7 12:57:36 CST 2005


At 2005-03-07  12:45 PM -0600, Patrick R. Michaud is rumored to have said:
>On Mon, Mar 07, 2005 at 01:31:47PM -0500, Neil Herber wrote:
> > >  if ($action == 'refcount' && RetrieveAuthPage($pagename, 'admin'))
> > >    include_once('scripts/refcount.php');
> >
> > Further wand-waving is required, because the first solution works, but the
> > second does not.
> >
> > I am not sure what RetrieveAuthPage($pagename, 'admin') is doing and
> > whether I should be changing 'admin' to some other value.
>
>RetrieveAuthPage is supposed to say retrieve the current page ($pagename)
>and require 'admin' access.  Once the admin password is entered it should
>allow access.  Note that you have to do this *after* the admin password
>has been set, however, otherwise the default is to be locked.
>
>I'll have to give it a try on pmwiki.org a bit later if this doesn't
>resolve it -- it seems like it ought to work.
>
>Pm

There is something fishy here.

If I enter "/Main/HomePage?action=attr" I get a password request that has 
the background color of my skin.

If I enter "/Main/HomePage?action=refcount" I get a password request that 
has a white background.

On the first one, there is a big pile of CSS code and robots meta code in 
the page source that does not appear on the second.

Is this indicative of anything?


Neil

Neil Herber
Corporate info at http://www.eton.ca/
Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
Tel: (613) 829-4668 




More information about the pmwiki-users mailing list