CondAuthNotLocked


The page CondAuthLocked has the following permissions:

* "{CondAuthLocked$PasswdRead}"
* "{CondAuthLocked$PasswdEdit}"
* "{CondAuthLocked$PasswdAttr}"
* "{CondAuthLocked$PasswdPublish}"
* "{CondAuthLocked$PasswdUpload}"
  • ""
  • "@lock"
  • "@lock"
  • "@lock"
  • ""

Moreover, a section in the page is wrapped in a conditional (:if auth admin:) which makes it hidden except from the Administrator.

1. Use an include bypassing the conditional with "lines=2.."

Here is a simple way to circumvent the conditional. With lines=2.. PmWiki will load the full page text, then remove the first line and output the rest. Only, the first line contains the conditional (:if auth admin:) which in that case will be dropped, and the "protected" block will be shown in clear:

(:include CondAuthLocked lines=2..:)

This is a secret section of Test.CondAuthLocked, protected inside an (:if auth admin:)...(:ifend:) block.

People cannot see it when they are on the page Test.CondAuthLocked even if they can read another page.

My password is "Pass1234".

My credit card number is "0000 0000 0000 0000 0000".

This part of the page is available for reading. Return to CondAuthNotLocked.

Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Note, to circumvent a conditional (any conditional), you only need "read" permissions on the page containing the secret, and an "edit" permission on any page on the wiki, even if only a WikiSandbox.

The correct way to do this is to never use a conditional to hide secrets. Instead, write the secrets in a different page with read-password on it, then include it in a read-unprotected page.

2. See the page source

Just follow this link: http://www.pmwiki.org/wiki/Test/CondAuthLocked?action=source

You don't even need edit permissions on a WikiSandbox.

One way to protect the source action is to set $HandleAuth['source'] ='edit'; in config.php. This however will not prevent the first way above.

3. See the page history

Just follow this link: http://www.pmwiki.org/wiki/Test/CondAuthLocked?action=diff and you can see all secrets.

You don't even need edit permissions on a WikiSandbox.

One way to protect the source action is to set $HandleAuth['diff'] ='edit'; in config.php. This however will not prevent the first way above.

 0: 00.00 00.00 config start
 1: 00.01 00.00 config end
 2: 00.06 00.06 MarkupToHTML begin
 3: 00.07 00.06 MarkupToHTML begin
 4: 00.08 00.08 MarkupToHTML end
 5: 00.08 00.08 MarkupToHTML begin
 6: 00.10 00.10 MarkupToHTML end
 7: 00.13 00.12 ReadApprovedUrls SiteAdmin.ApprovedUrls begin
 8: 00.14 00.14 ReadApprovedUrls SiteAdmin.ApprovedUrls end
 9: 00.16 00.15 MarkupToHTML end
10: 00.17 00.16 MarkupToHTML begin
11: 00.22 00.22 MarkupToHTML end
12: 00.22 00.22 MarkupToHTML begin
13: 00.24 00.23 MarkupToHTML end
14: 00.25 00.24 now
Peak memory: 5,659,744 bytes