V1.1 RC4 1 May 2004
I don't think this is critical but it may be important for some users so it may warrant an general alert...
I have just seen the menu heading, Category name & Title for an invisible and non-public part of my site revealed when an article within this section was made public. As a matter of policy, I beleive that security should follow the hieracrhy. Even headings can contain sensitive information.
Another example of a problem is where a private page is hidden but still available if you know the link. I don't beleive such pages should be reported by RSS because along with each summary comes a link to the item the author has hidden!
As a minimum, if a part of the structure is not visible and public then I don't beleive that any of the data relating to the structure (eg title, subtitle) should be included in the RSS feed.
If the rules are only to apply to the content then, if the content of the article is both visible and public but the structure is not then I think the title etc relating to the structure should be suppressed somehow.
Although it woudl be possible to make this configurable I cant imagine anyone wanting to report info by RSS that they have sought to hide.
James Savage
Security Issue - RSS Functionality
Good point James 
PhpWCMS Evangelist, -- iRoutier.com Running phpWCMS 1.4.2, r354 -> Great Version!!!!
I am suprised no one else has commented because the RSS functionality is I think enabled by default. Consequently, this potentially affects everyone using the product.
If anyone knows different please chip in and correct me.
Yes I know that security should never be implemented through obscurity but obscurity is sometimes better than nothing and is often good enough. The problem here is that while data is obscured through the front end, in cirtain circumstances it is plainly visible through RSS. What is worse it that naming that part of the structure as 'hidden' or 'private' will make the problem worse as this text is included in the RSS feed.
James
If anyone knows different please chip in and correct me.
Yes I know that security should never be implemented through obscurity but obscurity is sometimes better than nothing and is often good enough. The problem here is that while data is obscured through the front end, in cirtain circumstances it is plainly visible through RSS. What is worse it that naming that part of the structure as 'hidden' or 'private' will make the problem worse as this text is included in the RSS feed.
James
Just as an add-on note here to James' initial post, regarding hidden pages (containing sensitive information), the same thing will happen when you use the Search function (knowing that Search is not yet completed).
No way to hide
Nowhere to hide
No way to hide
Nowhere to hide
PhpWCMS Evangelist, -- iRoutier.com Running phpWCMS 1.4.2, r354 -> Great Version!!!!