[pmwiki-users] ZAP security vulnerability...

Patrick R. Michaud pmichaud at pobox.com
Wed May 2 16:02:18 CDT 2007


On Wed, May 02, 2007 at 03:44:07PM -0500, The Editor wrote:
> On 5/2/07, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> >On Wed, May 02, 2007 at 05:09:04AM -0400, The Editor wrote:
> >> On 5/1/07, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> >> >On Tue, May 01, 2007 at 08:02:01PM -0400, The Editor wrote:
> >> >> I suggested one possible (probably easy) fix off-list that could
> >> >> provide that back door. Allowing a simple string replacement array to
> >> >> be processed before doing markup processing on an imposed page.
> >> >
> >> >I'm not sure exactly what you mean by "imposed page", but
> >> >it sounds as though you mean "any page where the markup is
> >> >coming from somewhere other than the current one."
> 
> Let's think in terms of the analogy of push and pull.  If I do an
> include, or a PTV, etc, I'm retrieving markup from other pages onto
> the page I'm editing.  That's pull. I must have edit permissions to
> insert the code on a page, so it should be allowed.
>
> If I use the query string and "impose" markup on a page I don't have
> edit permissions for, that's a bit different. That's push.  

Okay, I'll give another example, just to show that it's not related
just to query strings.

Suppose that I start with a standard PmWiki installation.  I want to
to put a form on one page called "MyGroup.InputForm", so I enable the
ZAP recipe for that page only (via local/MyGroup.InputForm.php),
and I put an edit password on that page.

Assume further that we've block the ability to "impose markups" via
query strings, as my previous exploit did.

Now then, are we safe?  As you might guess, the answer is "no"...
someone can *still* exploit the ZAP recipe and use it to add
content to arbitrary edit-protected pages. 

Your task is to tell me how someone could exploit the situation
described above, and what the ZAP recipe, admin, and/or author
needs to do in order to avoid it.  

(If you want to claim that the above is safe, I'll gladly put
together another demonstration site... that doesn't make use of
query strings or the pagelist fmt= parameter.)

> I suspect a vast number of recipes are vulnerable to this
> approach--just don't know it, or only with limited damage potential
> (unlike ZAP).  

Please please please stop making assertions for which you don't have
any evidence -- all it does is spook people.  Either show us proof of
other recipes that are vulnerable to this approach, or stop the
scaremongering.

(Yes, you already noted that Fox had to change its approach, but I
think it falls squarely in the category of "modifying pages outside 
of PmWiki security".)

I have to go now -- will add more responses later.

Pm




More information about the pmwiki-users mailing list