On Wed, May 02, 2007 at 03:44:07PM -0500, The Editor wrote: > On 5/2/07, Patrick R. Michaud <[EMAIL PROTECTED]> wrote: > >On Wed, May 02, 2007 at 05:09:04AM -0400, The Editor wrote: > >> On 5/1/07, Patrick R. Michaud <[EMAIL PROTECTED]> wrote: > >> >On Tue, May 01, 2007 at 08:02:01PM -0400, The Editor wrote: > >> >> I suggested one possible (probably easy) fix off-list that could > >> >> provide that back door. Allowing a simple string replacement array to > >> >> be processed before doing markup processing on an imposed page. > >> > > >> >I'm not sure exactly what you mean by "imposed page", but > >> >it sounds as though you mean "any page where the markup is > >> >coming from somewhere other than the current one." > > Let's think in terms of the analogy of push and pull. If I do an > include, or a PTV, etc, I'm retrieving markup from other pages onto > the page I'm editing. That's pull. I must have edit permissions to > insert the code on a page, so it should be allowed. > > If I use the query string and "impose" markup on a page I don't have > edit permissions for, that's a bit different. That's push.
Okay, I'll give another example, just to show that it's not related just to query strings. Suppose that I start with a standard PmWiki installation. I want to to put a form on one page called "MyGroup.InputForm", so I enable the ZAP recipe for that page only (via local/MyGroup.InputForm.php), and I put an edit password on that page. Assume further that we've block the ability to "impose markups" via query strings, as my previous exploit did. Now then, are we safe? As you might guess, the answer is "no"... someone can *still* exploit the ZAP recipe and use it to add content to arbitrary edit-protected pages. Your task is to tell me how someone could exploit the situation described above, and what the ZAP recipe, admin, and/or author needs to do in order to avoid it. (If you want to claim that the above is safe, I'll gladly put together another demonstration site... that doesn't make use of query strings or the pagelist fmt= parameter.) > I suspect a vast number of recipes are vulnerable to this > approach--just don't know it, or only with limited damage potential > (unlike ZAP). Please please please stop making assertions for which you don't have any evidence -- all it does is spook people. Either show us proof of other recipes that are vulnerable to this approach, or stop the scaremongering. (Yes, you already noted that Fox had to change its approach, but I think it falls squarely in the category of "modifying pages outside of PmWiki security".) I have to go now -- will add more responses later. Pm _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
