[pmwiki-users] Why all this zapping?

The Editor editor at fast.st
Tue May 1 09:57:51 CDT 2007


On 5/1/07, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> On Mon, Apr 30, 2007 at 09:07:18PM -0700, H. Fox wrote:
> > On 4/30/07, Ben Stallings <Ben at interdependentweb.com> wrote:
> > > I also fear [Dan's] doing his reputation more harm
> > > than good by repeatedly saying the recipe is unreliable and
> > > untrustworthy and something to be cautious of, when it is not
> > ...
> > I'm confident that Dan has made some effort to make ZAP safe, but
> > security concerns seem to have taken a back seat to adding Power!,
> > Features! and Extensibility!...  From my perspective this conclusion
> > has been easy to reach, but it may not be obvious to a new
> > WikiAdministrator that adding lots of power, features, and
> > extensibility also adds significant risk of vulnerability to their
> > Pmwiki site.
>
> Following up on this post, I think it needs to be made much clearer
> that using ZAP on a site means that _any_ author can create ZAP
> forms that can modify _any_ page on the site (including pages like
> Site.AuthUser and Site.ZAPConfig).  I've already checked with Dan
> about this (off-list), and he confirmed it to be the case.

True.  As the ZAPsite recommends, ZAP should only be enabled on pages
where trusted users have access to edit permissions.  That is, either
lock down your site for editing and do all user interaction through
ZAP, or only enable ZAP on specific non-editable pages.

There are three other backup security options also.

1) Set a ZAP password which will lock all ZAP form submissions unless
specifically enabled where needed. Do this as usual on your page/group
attributes pages.

2) Create a Site.ZAPConfig page (blank) which will automatically lock
all advanced commands from working except where specifically enabled.
Then be sure to edit protect that page!

3) If you want to get your hands a bit dirty, don't enable ZAPtoolbox
anywhere (that's where all the powerful functions are).  Just cut and
paste the various functions on specific local config page as needed.
That way you only have just the power you need where you need it. It
might even improve performance a fraction of a second!

So you have several good ways for securing ZAP's capabilities, and
they can be mixed and matched or all added on top of each other for
the especially paranoid.

I should also add this is not a bug but a feature.  I don't want my
users to be able to edit their forum posts or comments directly.  So I
lock down those pages and allow users to post via the ZAP forms.  I'm
not sure how Fox works but I definitely prefer to not leave these
kinds of pages closed to public editing. So ZAP is designed to make
that possible, on purpose.

> I also suspect that it's possible to create ZAP forms that can
> expose the contents of read-protected pages, but I haven't verified
> this yet.

As far as I know this is not possible.  In editing pages or sections
there is a {(source page#anchor)} markup expression--but it checks the
users permission to see the source before displaying anything.  It
does not check for read permissions however, and so that might need to
be added. Maybe Pm can clarify how that is supposed to work. Anyway,
there's no other way I know of in ZAP to get at a page's source...

It does occur to me something like the {(sectionlist page page)}
markup could be used maliciously, by a page editor simply setting the
template page to the read-protected page.  And perhaps some of the
other templating functions in ZAP likewise need to be read-protected
checked. Of course if you are trusting those who can edit pages, or
using some of the built in security measures to block form
submissions--these are non-issues. I generally designed ZAP for those
who want to lock their site down and direct interaction through ZAP
forms.  That's it's purpose. It's not very wiki-ish in nature.

> So, if your site is using ZAP, make sure you trust all of the
> people who have the ability to use ?action=edit .  :-)

With anything as powerful and flexible as ZAP, it would be good idea
for users to read the security tutorials on ZAP carefully and make
sure they ask questions if something is not clear.

Thanks Pm for checking out the code and helping to clarify for others
what ZAP does and does not do.

Cheers,
Dan



More information about the pmwiki-users mailing list