[pmwiki-users] read password information leak

Neil Herber nospam at mail.eton.ca
Mon Mar 7 11:58:52 CST 2005


At 2005-03-07  11:51 AM -0600, Patrick R. Michaud is rumored to have said:
>On Mon, Mar 07, 2005 at 12:29:47PM -0500, Neil Herber wrote:
> > The read password does not appear to suppress protected pagenames or
> > groupnames for "action=refcount".
>
>No, it doesn't.  Refcount is already such a slow and server-heavy
>operation that I didn't want to burden it further with password checking.
>This is also why it's not enabled by default in the distribution,
>because it does have the potential to leak information.
>
>I also think it could become highly misleading -- i.e., it might
>indicate that a page has no links to it when in fact there are
>read-protected pages that are linking to it but were suppressed
>due to permissions.
>
>I think that if this much security is needed, then the site admin
>should probably look to limiting access to refcount.php or using a
>farm/field.  That said, I suppose I could write refcount to honor
>the $EnablePageListProtect variable, but this really opens the
>door to some confusing results.

I am already using refcount on 2 fields, but I really only use it as an 
admin function, usually looking for orphans.

How can I restrict the refcount action to me alone? Note that I have been 
logged in via Apache .htpasswd, so I suspect I need something like the 
following in local/config.php:

            if (@$_SERVER['REMOTE_USER'] == 'Neil'  ... (magical PHP code 
added here)

All wand-waving appreciated.

Or is it possible to have a farm wide "refcount action" password as there 
can be for other actions? That might be a cleaner solution.

I already find the table that refcount returns confusing, so keeping it 
outside the view of my users is a bonus.



Neil

Neil Herber
Corporate info at http://www.eton.ca/
Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
Tel: (613) 829-4668 




More information about the pmwiki-users mailing list