This is a static dump of issues in the old "Flyspray" bugtracker for DokuWiki. Bugs and feature requests
are now tracked at the issue tracker at Github.
Closed
Fixed
FS#1620 Spam security hole
Security
2009-02-22furun
By a section edit the prefix and suffix text are inside a hidden form element. This is bypassing the spam word check! If users don't use captcha, there is no protection against spamers anymore.
Section edit is even useful to reduce the amount of posted and checked data. Maybe a simple number in prefix and suffix like in the section edit button is more useful.
You can test this easily:
- Use Opera
- Open a Page and edit a Section
- Open the source text in Opera
- Edit the source text in prefix or suffix whit a spam blocked text, and update it to the page.
- Save the text
- The spam word will bypass the word check, if it is inside of prefix or suffix
Spamers could use this automatically for mass spaming in wikis witch use no other protection.