[pmwiki-users] read password information leak
Patrick R. Michaud
pmichaud at pobox.com
Mon Mar 7 11:51:15 CST 2005
On Mon, Mar 07, 2005 at 12:29:47PM -0500, Neil Herber wrote:
> The read password does not appear to suppress protected pagenames or
> groupnames for "action=refcount".
No, it doesn't. Refcount is already such a slow and server-heavy
operation that I didn't want to burden it further with password checking.
This is also why it's not enabled by default in the distribution,
because it does have the potential to leak information.
I also think it could become highly misleading -- i.e., it might
indicate that a page has no links to it when in fact there are
read-protected pages that are linking to it but were suppressed
due to permissions.
I think that if this much security is needed, then the site admin
should probably look to limiting access to refcount.php or using a
farm/field. That said, I suppose I could write refcount to honor
the $EnablePageListProtect variable, but this really opens the
door to some confusing results.
Pm
More information about the pmwiki-users
mailing list