Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#1905 Wiki: MultiPrint shows content independent of permissions

v1.8.5
open
nobody
Security (29)
5
2005-03-14
2005-03-13
Matthias
No

Any user (even anonymous) can reveal all content of an
arbitrary Wiki page, even when protected by view
permissions for admin only, by selecting "Print" from
the application_menu, and then adding the page (p_view
for admin only) to the list of pages to be printed, well,
and then print.

Earlier today I discovered that Search would reveal the
first 250 characters of wiki text for an "invisible" page,
but now even the whole page (including its final
formatting) is shown.

Seems that the permission system has a couple of
severe leaks.

Discussion

  • Matthias
    Matthias
    2005-03-14

    • summary: Wiki: Print shows all content independent of permissions --> Wiki: MultiPrint shows content independent of permissions