On Tue, May 01, 2007 at 10:57:51AM -0400, The Editor wrote:
> On 5/1/07, Patrick R. Michaud <[EMAIL PROTECTED]> wrote:
> >Following up on this post, I think it needs to be made much clearer
> >that using ZAP on a site means that _any_ author can create ZAP
> >forms that can modify _any_ page on the site (including pages like
> >Site.AuthUser and Site.ZAPConfig). I've already checked with Dan
> >about this (off-list), and he confirmed it to be the case.
>
> True. As the ZAPsite recommends, ZAP should only be enabled on pages
> where trusted users have access to edit permissions. That is, either
> lock down your site for editing and do all user interaction through
> ZAP, or only enable ZAP on specific non-editable pages.
This understates/misstates my point. If ZAP is enabled on
_any_ publicly accessible pages, then an author with edit permission
to any other page on the site -- even pages where ZAP isn't
"enabled" -- can use ZAP directives to modify any other page on
the site.
> >I also suspect that it's possible to create ZAP forms that can
> >expose the contents of read-protected pages, but I haven't verified
> >this yet.
>
> As far as I know this is not possible. In editing pages or sections
> there is a {(source page#anchor)} markup expression--but it checks the
> users permission to see the source before displaying anything. [...]
> Anyway, there's no other way I know of in ZAP to get at a
> page's source...
I was looking specifically at the commands
(:zap emailtemplate=<Group>.<Name>:)
(:zap pagetemplate=<Group>.<Name>:)
(:input type *template <Group>.<Name>:)
They don't appear to me to be doing any checking of read
permissions, which means that someone can use them to obtain
the contents of protected pages.
Pm
_______________________________________________
pmwiki-users mailing list
[email protected]
http://www.pmichaud.com/mailman/listinfo/pmwiki-users
