On Tue, May 01, 2007 at 11:40:33AM -0400, The Editor wrote: > On 5/1/07, Patrick R. Michaud <[EMAIL PROTECTED]> wrote: > >On Tue, May 01, 2007 at 10:57:51AM -0400, The Editor wrote: > >> True. As the ZAPsite recommends, ZAP should only be enabled on pages > >> where trusted users have access to edit permissions. That is, either > >> lock down your site for editing and do all user interaction through > >> ZAP, or only enable ZAP on specific non-editable pages. > > > >This understates/misstates my point. If ZAP is enabled on > >_any_ publicly accessible pages, then an author with edit permission > >to any other page on the site -- even pages where ZAP isn't > >"enabled" -- can use ZAP directives to modify any other page on > >the site. > > Not sure I see the difference, but we're aggreed ZAP should not be > enabled on any pages where untrusted users have edit privileges (ie > non admins) unless special precautions are taken involving one of the > various security layers available in ZAP.
The key difference is 'pages' versus 'site'. Your statement seems to imply that it's okay for a site to allow editing of some pages by untrusted users (e.g., something like a WikiSandbox) as long as ZAP is not enabled on those pages. I'm saying that if ZAP is enabled _anywhere_ on a site that allows _any_ editing by an untrusted user, then the untrusted user can use ZAP to modify any other page on the site, and likely obtain the contents of otherwise read-protected pages. > Also about the source markup expression... If a page is blocked for > reading, is it automatically blocked for source? If so a page might > be read protected but not source protected, making the source markup > expression a vulnerability. (It only checks source permissions, not > read permissions). Is this correct? PmWiki doesn't have anything called 'source' permissions. I think you're confusing permissions here with ?action=source, and the default permissions for ?action=source are indeed 'read' permission. This is controlled by the setting of $HandleAuth['source'] (which defaults to 'read', meaning that read permissions are required to view a page's source via ?action=source). Pm _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
