[pmwiki-users] Why all this zapping?

The Editor editor at fast.st
Tue May 1 10:40:33 CDT 2007


On 5/1/07, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> On Tue, May 01, 2007 at 10:57:51AM -0400, The Editor wrote:
> > On 5/1/07, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> > >Following up on this post, I think it needs to be made much clearer
> > >that using ZAP on a site means that _any_ author can create ZAP
> > >forms that can modify _any_ page on the site (including pages like
> > >Site.AuthUser and Site.ZAPConfig).  I've already checked with Dan
> > >about this (off-list), and he confirmed it to be the case.
> >
> > True.  As the ZAPsite recommends, ZAP should only be enabled on pages
> > where trusted users have access to edit permissions.  That is, either
> > lock down your site for editing and do all user interaction through
> > ZAP, or only enable ZAP on specific non-editable pages.
>
> This understates/misstates my point.  If ZAP is enabled on
> _any_ publicly accessible pages, then an author with edit permission
> to any other page on the site -- even pages where ZAP isn't
> "enabled" -- can use ZAP directives to modify any other page on
> the site.

Not sure I see the difference, but we're aggreed ZAP should not be
enabled on any pages where untrusted users have edit privileges (ie
non admins) unless special precautions are taken involving one of the
various security layers available in ZAP. ZAP is not designed for
publically editable pages. It's designed for admins who want a good
tool for rapid development.

> > >I also suspect that it's possible to create ZAP forms that can
> > >expose the contents of read-protected pages, but I haven't verified
> > >this yet.
> >
> > As far as I know this is not possible.  In editing pages or sections
> > there is a {(source page#anchor)} markup expression--but it checks the
> > users permission to see the source before displaying anything.  [...]
> > Anyway, there's no other way I know of in ZAP to get at a
> > page's source...
>
> I was looking specifically at the commands
>
>    (:zap emailtemplate=<Group>.<Name>:)
>    (:zap pagetemplate=<Group>.<Name>:)
>    (:input type *template <Group>.<Name>:)
>
> They don't appear to me to be doing any checking of read
> permissions, which means that someone can use them to obtain
> the contents of protected pages.

You are likely correct. Though only trusted users should be creating
these forms (see above) all templating should do a check for read
permissions.  I'll be sure to add it for the next release.  Thanks
again Pm...

Cheers
Dan

Also about the source markup expression...  If a page is blocked for
reading, is it automatically blocked for source?  If so a page might
be read protected but not source protected, making the source markup
expression a vulnerability. (It only checks source permissions, not
read permissions). Is this correct?



More information about the pmwiki-users mailing list