Loading...

XML

Word

Printable

Details

Type: Improvement
Resolution: Fixed
Priority: Critical
Fix Version/s: 15.5.4, 15.9, 14.10.19
Affects Version/s: 1.0 B1
Component/s: None
Labels:
- security

keywords:
security cookies
Tests:

Unit
Development Priority:
Medium
Documentation:
https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Authentication/#HAuthenticationparameters
Documentation in Release Notes:
https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/15.9/#HForAdmins
Similar issues:

Description

xwiki.cfg has two parameters, xwiki.authentication.validationKey and xwiki.authentication.encryptionKey, responsible for cookie encryption. These two have predefined values which can be used by an attacker to decode the username/password.

It would be better if the installer (.exe, ant or maven) would generate:
1. a random key pair
2. a host-dependent key-pair, different for each host, but always the same for a host

Attachments

Activity

People

Assignee:: Thomas Mortagne

Reporter:: Sergiu Dumitriu

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 15/Dec/06 12:43

Updated:: 31/Oct/23 10:40

Resolved:: 25/Oct/23 17:29

Date of First Response:: 15/Dec/06 1:57 PM