[pmwiki-users] concerning GroupAttributes a potential security risk
Chris.Swift at eu.dodea.edu
Tue Nov 4 04:55:48 CST 2008
Good point! Sorry, I should have added this last part, which would make the problem clearer. Basically, I have the entire set with $DefaultPasswords['attr'] = crypt('secret_password'); as you said, however, I want people to be able to create pages within a group where they can set their own attributes. That's what complicated things. So, I first set in Example.GroupAttributes all of them to @nopass, so people can set their own passwords just for that group. What I didn't realize is that this automatically makes the Example.GroupAttributes page open to anyone, because its within the Example.GroupAttributes range...if that makes sense. ;-)
Anyway, the only way that I could still allow people to set their own attributes within that group (via the Example.GroupAttributes) was to setup an autorestore (maybe to run every 15 seconds or so). I have already installed autorestore for my wikisandbox page, so that's why I posted the other point before.
Do you think the idea of using autorestore for the Example.GroupAttributes is a good method of fixing the problem concerning the openness of Example.GroupAttributes, or do you (or anyone else) recommend a different approach?
From: Hans [mailto:design5 at softflow.co.uk]
Sent: Tue 11/4/2008 11:51 AM
To: Swift, Chris
Cc: PmWiki Users
Subject: Re: [pmwiki-users] concerning GroupAttributes a potential security risk
Tuesday, November 4, 2008, 9:18:40 AM, Swift, Chris wrote:
> I'm using the www.pmwiki.org/wiki/Cookbook/AutoRestore
> <http://www.pmwiki.org/wiki/Cookbook/AutoRestore> (autorestore)
> function, which will automatically restore my example.GroupAttributes
> page, the only issue with that is that someone in the system could
> potentially lock different groups for a few minutes until autorestore
> has made its way back into the system. If anyone has a better
> suggestion, please let me know.
can you not just prevent meddling of page attributes by setting a
sitewide attr password in config.php?
$DefaultPasswords['attr'] = crypt('secret_password');
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the pmwiki-users