The new version of ZAP is just released, and a strongly recommended upgrade. Features:
1). A more systematic block of the Query Fmt attack Pm demonstrated. 2). No longer able to post to Site pages without a config variable being reset. 3). A complete Command & Target wiki-based config system that allows you to have extreme fine-tuned control over which pages can do what to what pages. Note: Closed sites, or sites using Ben's suggestion for closed ZAPfields can bypass #3 by simply not creating the corresponding security config pages. Other fixes/features: 1) Completely reworked the messaging system to make it easy to override any default system message in a form or on a Site Config page. Very flexible. 2) Fixed the anchor/thread conflict. 3) Read permission checking was added to the templating engine 4) The SectionList command is now included in the ZAPtoolbox. 5) Added in-code comments to much of the ZAP core module I just uploaded to ZAPsite (version: May 5, 2007) and have begun documenting the changes--but won't have time to finish till probably early next week. I haven't noticed any broken forms except one or two advanced ones involving messaging--so it should be a mostly pain free upgrade. Please report bugs if found as this was a pretty significant rework of the code under a very intense time pressures. My apologies to the PmWiki community for not at least taking a few more precautions with ZAP. I never would have guessed you could do with PmWiki what Pm did, but I should have taken some extra safety measures--just to be on the safe side. Upgrades are encouraged. Feedback and comments welcome. Pm, if you wouldn't mind verifying these changes block the attacks you demonstrated. Unfortunately I'm not at a place to easily reproduce your attack. Cheers, Dan _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
