[pmwiki-users] Why all this zapping?
Patrick R. Michaud
pmichaud at pobox.com
Tue May 1 09:03:16 CDT 2007
On Mon, Apr 30, 2007 at 09:07:18PM -0700, H. Fox wrote:
> On 4/30/07, Ben Stallings <Ben at interdependentweb.com> wrote:
> > I also fear [Dan's] doing his reputation more harm
> > than good by repeatedly saying the recipe is unreliable and
> > untrustworthy and something to be cautious of, when it is not
>
> ...
> I'm confident that Dan has made some effort to make ZAP safe, but
> security concerns seem to have taken a back seat to adding Power!,
> Features! and Extensibility!... From my perspective this conclusion
> has been easy to reach, but it may not be obvious to a new
> WikiAdministrator that adding lots of power, features, and
> extensibility also adds significant risk of vulnerability to their
> Pmwiki site.
Following up on this post, I think it needs to be made much clearer
that using ZAP on a site means that _any_ author can create ZAP
forms that can modify _any_ page on the site (including pages like
Site.AuthUser and Site.ZAPConfig). I've already checked with Dan
about this (off-list), and he confirmed it to be the case.
I also suspect that it's possible to create ZAP forms that can
expose the contents of read-protected pages, but I haven't verified
this yet.
So, if your site is using ZAP, make sure you trust all of the
people who have the ability to use ?action=edit . :-)
Pm
More information about the pmwiki-users
mailing list