Hi all! Thanks to the efforts of Andy Webber multiple security vulnerabilities were discovered in DokuWiki plugins recently. Andy sent a mail to the authors and CCed me. Unfortunately very few plugin authors seem to respond to the issues and fix them. I thought a while on how to handle the situation. To protect innocent users I decided to go for a full disclosure policy. Here is how it works: Whenever someone discovers a security issue in a plugin there should be done two things: 1. Send an email to the author of the plugin, explaining the problem 2. Add an 'securityissue' field to the data in the plugin page. This field should contain a short description of the problem. Here is an example of a plugin page with a marked security problem: http://wiki.splitbrain.org/plugin:dailymotion Doing the latter serves two purposes: first it makes it very obvious that there is a problem with the plugin. Secondly it will hide the plugin from the list on wiki:plugins. In an ideal world we would have the manpower to have a security team which would check each and every plugin. Unfortunately this is not the case. To help plugin authors with writing secure code, I started a page on http://wiki.splitbrain.org/wiki:plugins:security - it would be great if everybody could have a look at it and improve it. Andi -- http://www.splitbrain.org