[pmwiki-users] Security/information leak in PmWIki

Nils Knappmeier nk at knappi.org
Sun Feb 20 14:56:48 CST 2005


Patrick R. Michaud wrote:

>On Thu, Feb 17, 2005 at 01:22:12PM -0500, Neil Herber wrote:
>  
>
>>1) If I search for "/", PmWiki gladly displays the group name and the name 
>>of all the pages it contains. Names like Private.Budget seem to attract 
>>attention.
>>2) By using various search terms, I can glean some information from the 
>>supposedly private pages. For example, if I search for "Project X" and get 
>>a hit on the page "Private.Budget", that implies some discussion of the 
>>project in the budget.
>>    
>>
>
>Remove the Private group from searches, by adding:
>
>   $SearchPatterns['default'][] = '!^Private\.!';
>   $SearchPatterns['all'][] = '!^Private\.!';
>   $SearchPatterns['normal'][] = '!^Private\.!';
>  
>
Wouldn't it be better to use RetrieveAuthPage instead of ReadPage to 
open the pages for a search?
That way, the user would only get the pages that he is allowed to see.

Nils


>  
>
>>3) The AllRecentChanges page exposes all of the editing activity in the 
>>Private group.
>>    
>>
>
>In local/Private.php, add
>
>   unset($RecentChangesFmt['Main.AllRecentChanges']);
>
>  
>
>>So the $64 question is, how can I have a truly private group within an 
>>existing PmWiki? Or do I have to create another field in my farm for truly 
>>private info and protect it with yet another layer of basic authentication?
>>    
>>
>
>No, you don't have to go to the trouble of a separate field.  OTOH, 
>there's no telling what other features or recipes might be inadvertently 
>exposing data from the Private group.  But we can certainly make efforts
>to identify them and lock them down.
>
>Pm
>_______________________________________________
>pmwiki-users mailing list
>pmwiki-users at pmichaud.com
>http://pmichaud.com/mailman/listinfo/pmwiki-users
>
>  
>




More information about the pmwiki-users mailing list