Thursday, June 26, 2008, 9:00:35 AM, Petko wrote: > There is no "is_admin()" function in PmWiki, and I cannot see any way an > attacker could execute any other existing function with this form, that is > why I asked for a real example.
I think demonstrating a javascript injection as has been provided is a 'real' enough example. We don't want to see any really harmful code here! That someone can construct links in a wiki which may cause a script injection __is__ the vulnerability. Generally PmWiki is not allowing arbitrary javascript (or other script) to be inserted into wiki pages, because it is by concept an open space. Hans _______________________________________________ pmwiki-devel mailing list pmwiki-devel@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-devel
