[pmwiki-users] concerning GroupAttributes a potential security risk
Swift, Chris
Chris.Swift at eu.dodea.edu
Tue Nov 4 07:30:37 CST 2008
Dan,
Thanks for your response.
I don't have my site in front of me (nor have access to it), however,
whenever I put that markup ?action=attr, then it brought me to the Group
Attributes page, which means that if I put for example @lock, then it
locks the entire group.
That's where the problem is. Also, the website has the entire
attributes locked down, so that's why I needed to set the
GroupAttributes part.
Thanks,
Chris
-----Original Message-----
From: fast4god at gmail.com [mailto:fast4god at gmail.com] On Behalf Of The
Editor
Sent: Tuesday, November 04, 2008 1:54 PM
To: Hans
Cc: Swift, Chris; PmWiki Users
Subject: Re: [pmwiki-users] concerning GroupAttributes a potential
security risk
On Tue, Nov 4, 2008 at 6:29 AM, Hans <design5 at softflow.co.uk> wrote:
> Tuesday, November 4, 2008, 10:55:48 AM, Swift, Chris wrote:
>
>> Do you think the idea of using autorestore for the
>> Example.GroupAttributes is a good method of fixing the problem
>> concerning the openness of Example.GroupAttributes, or do you (or
>> anyone else) recommend a different approach?
>
> Well it may prevent someone permanently locking the group.
> But really one would want to lock the GroupAttributes page, so that
> only the admin can change attributes of it.
> I don't know how to do this.
> I hope Patrick has an answer for this.
Don't you just set the attributes for the attributes page itself.
Just go to group.attr&action=attr or something like that. Then you can't
change the attr for that group without knowing the password.
It's been a while since I've done this so I may not recall the exact
syntax properly, but I think this may be correct. I'm sure it's in the
docs--how to set the attributes for a specific page.
Cheers,
Dan
More information about the pmwiki-users
mailing list