[pmwiki-users] Security issue: Site/SideBar has set the nopasswd option
H. Fox
haganfox at users.sourceforge.net
Fri Jul 7 19:04:09 CDT 2006
On 7/7/06, Stefan Schimanski <sts at 1stein.org> wrote:
> Hallo PmWiki developers,
>
> I found out today, that for the months I am using pmwiki my Site/SideBar
> was writable by everybody although I implemented authorization for the
> site. The problem is that in the wikilib.d/Site.SideBar the nopasswd
> option is set, probably to allow editing the sitebar while the remaining
> Site wiki is readonly. But I am sure that a lot of users (found another
> site immedeately by just browsing your success story list), will oversee
> that and open their Sitebar for writing... I consider that as a security
> risk.
>
> Stefan Schimanski
This was fixed in Version 2.1.beta35 (2006-03-05), but the page's
permissions would not change automatically by upgrading since, once
edited, your SideBar page comes from wiki.d/ (saved pages) instead of
wikilib.d/ (distributed pages).
If you are using beta35 or newer you can set a password of
"@_site_edit" to have the page inherit the site-wide edit password.
Hagan
More information about the pmwiki-users
mailing list