[pmwiki-users] Why all this zapping?
Patrick R. Michaud
pmichaud at pobox.com
Tue May 1 10:29:36 CDT 2007
On Tue, May 01, 2007 at 10:57:51AM -0400, The Editor wrote:
> On 5/1/07, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> >Following up on this post, I think it needs to be made much clearer
> >that using ZAP on a site means that _any_ author can create ZAP
> >forms that can modify _any_ page on the site (including pages like
> >Site.AuthUser and Site.ZAPConfig). I've already checked with Dan
> >about this (off-list), and he confirmed it to be the case.
>
> True. As the ZAPsite recommends, ZAP should only be enabled on pages
> where trusted users have access to edit permissions. That is, either
> lock down your site for editing and do all user interaction through
> ZAP, or only enable ZAP on specific non-editable pages.
This understates/misstates my point. If ZAP is enabled on
_any_ publicly accessible pages, then an author with edit permission
to any other page on the site -- even pages where ZAP isn't
"enabled" -- can use ZAP directives to modify any other page on
the site.
> >I also suspect that it's possible to create ZAP forms that can
> >expose the contents of read-protected pages, but I haven't verified
> >this yet.
>
> As far as I know this is not possible. In editing pages or sections
> there is a {(source page#anchor)} markup expression--but it checks the
> users permission to see the source before displaying anything. [...]
> Anyway, there's no other way I know of in ZAP to get at a
> page's source...
I was looking specifically at the commands
(:zap emailtemplate=<Group>.<Name>:)
(:zap pagetemplate=<Group>.<Name>:)
(:input type *template <Group>.<Name>:)
They don't appear to me to be doing any checking of read
permissions, which means that someone can use them to obtain
the contents of protected pages.
Pm
More information about the pmwiki-users
mailing list