[pmwiki-users] read password information leak
Neil Herber
nospam at mail.eton.ca
Mon Mar 7 11:58:52 CST 2005
At 2005-03-07 11:51 AM -0600, Patrick R. Michaud is rumored to have said:
>On Mon, Mar 07, 2005 at 12:29:47PM -0500, Neil Herber wrote:
> > The read password does not appear to suppress protected pagenames or
> > groupnames for "action=refcount".
>
>No, it doesn't. Refcount is already such a slow and server-heavy
>operation that I didn't want to burden it further with password checking.
>This is also why it's not enabled by default in the distribution,
>because it does have the potential to leak information.
>
>I also think it could become highly misleading -- i.e., it might
>indicate that a page has no links to it when in fact there are
>read-protected pages that are linking to it but were suppressed
>due to permissions.
>
>I think that if this much security is needed, then the site admin
>should probably look to limiting access to refcount.php or using a
>farm/field. That said, I suppose I could write refcount to honor
>the $EnablePageListProtect variable, but this really opens the
>door to some confusing results.
I am already using refcount on 2 fields, but I really only use it as an
admin function, usually looking for orphans.
How can I restrict the refcount action to me alone? Note that I have been
logged in via Apache .htpasswd, so I suspect I need something like the
following in local/config.php:
if (@$_SERVER['REMOTE_USER'] == 'Neil' ... (magical PHP code
added here)
All wand-waving appreciated.
Or is it possible to have a farm wide "refcount action" password as there
can be for other actions? That might be a cleaner solution.
I already find the table that refcount returns confusing, so keeping it
outside the view of my users is a bonus.
Neil
Neil Herber
Corporate info at http://www.eton.ca/
Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
Tel: (613) 829-4668
More information about the pmwiki-users
mailing list