[pmwiki-users] concerning GroupAttributes a potential security risk

Swift, Chris Chris.Swift at eu.dodea.edu
Tue Nov 4 03:18:40 CST 2008

Ok, so I sent the note below yesterday, but for some reason it never
left my outbox.  Maybe I can blame the "galactic e-mail monster" for
doing something to my e-mail (or maybe the fact they were upgrading our
e-mail servers yesterday).   ;-)
So, I sent this message yesterday.  This is the fix I found:
I'm using the www.pmwiki.org/wiki/Cookbook/AutoRestore
<http://www.pmwiki.org/wiki/Cookbook/AutoRestore>  (autorestore)
function, which will automatically restore my example.GroupAttributes
page, the only issue with that is that someone in the system could
potentially lock different groups for a few minutes until autorestore
has made its way back into the system.  If anyone has a better
suggestion, please let me know.
Dear all,
By now you are probably getting a little tired of my posts.  I apologize
for this, but in getting ready for my site to go live I need most of the
kinks worked out.
Anyway, this one should be rather simple.  I just noticed today a
potential problem (for many others beyond me).  If I setup a group to be
easily edited for my users (they can read, edit, attr. and upload) it
has a potential problem.  The point is that if I go to
example.GroupAttributes and set the group attributes to @nopass, then
that means that people can also go into my example.GroupAttributes page
and set the attributes for the entire group, thus a possible security
risk (and defeating the purpose of making it publicly available).
Suggestions?  What has anyone done to avoid this issue?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20081104/f52a1aaa/attachment.html 

More information about the pmwiki-users mailing list