Is this confirmed, both that one way has the hole and the other doesn't?
Near as I can tell, you're setting the same parameters either way, so I'd expect the results to be the same.
Or are there other things that should be done when changing those variables? If so, is there a function that can be called from config.php that will do all the housekeeping?
If it is possible to see and (:include:) file which you don't have access to, and access was set properly, then it's a bug.
Sandy On 5/2/2011 2:22 PM, Peter Bowers wrote:
Randy pointed out (below) a serious security hole that I've been inadvertently leaving on my sites every since I started doing that config.php-only type of password-setting that I suggested above. If I am viewing a group for which I have read permission I can then (:include:) a page for which I do *not* have read permission.
_______________________________________________ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users
