[pmwiki-users] ZAP security vulnerability...

Hans design5 at softflow.co.uk
Thu May 3 14:41:42 CDT 2007


Thursday, May 3, 2007, 8:26:10 PM, The Editor wrote:

> One question is given the above assumptions, should I by default allow
> forms to post data to the same page without a special unlock step.
> (Seems to me Fox made this choice).

I am just mulling over this choice, and suspect it is no good.
As we seen, it is enough to include a form into a page by having it
added to the GroupFooter for instance. Then someone can post to the
page, even if it was protected.

It always comes to the same point:
The target page for posting content needs to carry a mark, an
attribute or a string, which will make it a legitimate posting target.
Or the admin can expand this by giving permission for posting to other
pages (for instance via a page pattern array).

> And what about having an
> automatically approved auth list--maybe groups like forum, blog, and
> comments or something (Fox has also done this).  A malicious user
> could impose text on those pages, but with no commands or targets for
> those pages could not do much damage.

For Fox it was an attempt to make it easier setting up comment pages.
But I did not have feedback on this. I guess there are many ways of
creating comment pages, tied to a document page. So maybe it is better
to leave it blank. But I would be curious to hear others about this.


  ~Hans




More information about the pmwiki-users mailing list