[pmwiki-users] Security/information leak in PmWIki
Neil Herber
nospam at mail.eton.ca
Thu Feb 17 12:22:12 CST 2005
Before too many alarm bells go off, this is not a problem that will affect
many admins, but it does affect me.
I am running a password protected PmWiki for a client. All users are
granted access via Apache basic authentication. This morning I created a
group called "Private" which will be used to store information that only my
direct client and I can access (I assigned a read password to the group).
However, some of the other facilities in PmWiki leak information about the
Private group.
1) If I search for "/", PmWiki gladly displays the group name and the name
of all the pages it contains. Names like Private.Budget seem to attract
attention.
2) By using various search terms, I can glean some information from the
supposedly private pages. For example, if I search for "Project X" and get
a hit on the page "Private.Budget", that implies some discussion of the
project in the budget.
3) The AllRecentChanges page exposes all of the editing activity in the
Private group.
So the $64 question is, how can I have a truly private group within an
existing PmWiki? Or do I have to create another field in my farm for truly
private info and protect it with yet another layer of basic authentication?
Neil
Neil Herber
Corporate info at http://www.eton.ca/
Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
Tel: (613) 829-4668
More information about the pmwiki-users
mailing list