[pmwiki-users] Why all this zapping?

Patrick R. Michaud pmichaud at pobox.com
Tue May 1 10:54:37 CDT 2007


On Tue, May 01, 2007 at 11:40:33AM -0400, The Editor wrote:
> On 5/1/07, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> >On Tue, May 01, 2007 at 10:57:51AM -0400, The Editor wrote:
> >> True.  As the ZAPsite recommends, ZAP should only be enabled on pages
> >> where trusted users have access to edit permissions.  That is, either
> >> lock down your site for editing and do all user interaction through
> >> ZAP, or only enable ZAP on specific non-editable pages.
> >
> >This understates/misstates my point.  If ZAP is enabled on
> >_any_ publicly accessible pages, then an author with edit permission
> >to any other page on the site -- even pages where ZAP isn't
> >"enabled" -- can use ZAP directives to modify any other page on
> >the site.
> 
> Not sure I see the difference, but we're aggreed ZAP should not be
> enabled on any pages where untrusted users have edit privileges (ie
> non admins) unless special precautions are taken involving one of the
> various security layers available in ZAP. 

The key difference is 'pages' versus 'site'.  

Your statement seems to imply that it's okay for a site to 
allow editing of some pages by untrusted users (e.g., something
like a WikiSandbox) as long as ZAP is not enabled on those pages.  

I'm saying that if ZAP is enabled _anywhere_ on a site that allows
_any_ editing by an untrusted user, then the untrusted user
can use ZAP to modify any other page on the site, and likely
obtain the contents of otherwise read-protected pages.

> Also about the source markup expression...  If a page is blocked for
> reading, is it automatically blocked for source?  If so a page might
> be read protected but not source protected, making the source markup
> expression a vulnerability. (It only checks source permissions, not
> read permissions). Is this correct?

PmWiki doesn't have anything called 'source' permissions.  I think
you're confusing permissions here with ?action=source, and the
default permissions for ?action=source are indeed 'read' permission.
This is controlled by the setting of $HandleAuth['source']
(which defaults to 'read', meaning that read permissions are
required to view a page's source via ?action=source).

Pm



More information about the pmwiki-users mailing list