[pmwiki-users] concerning GroupAttributes a potential security risk
Chris.Swift at eu.dodea.edu
Tue Nov 4 03:18:40 CST 2008
Ok, so I sent the note below yesterday, but for some reason it never
left my outbox. Maybe I can blame the "galactic e-mail monster" for
doing something to my e-mail (or maybe the fact they were upgrading our
e-mail servers yesterday). ;-)
So, I sent this message yesterday. This is the fix I found:
I'm using the www.pmwiki.org/wiki/Cookbook/AutoRestore
function, which will automatically restore my example.GroupAttributes
page, the only issue with that is that someone in the system could
potentially lock different groups for a few minutes until autorestore
has made its way back into the system. If anyone has a better
suggestion, please let me know.
By now you are probably getting a little tired of my posts. I apologize
for this, but in getting ready for my site to go live I need most of the
kinks worked out.
Anyway, this one should be rather simple. I just noticed today a
potential problem (for many others beyond me). If I setup a group to be
easily edited for my users (they can read, edit, attr. and upload) it
has a potential problem. The point is that if I go to
example.GroupAttributes and set the group attributes to @nopass, then
that means that people can also go into my example.GroupAttributes page
and set the attributes for the entire group, thus a possible security
risk (and defeating the purpose of making it publicly available).
Suggestions? What has anyone done to avoid this issue?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the pmwiki-users