Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
4.1.3
-
Fedora 17
-
High
-
Unknown
-
N/A
-
We really need a process for responsible disclosure of security issues. But since we don't have that at the moment, I will not put this in the release notes.
-
Description
I discovered an unexpected behaviour in my "XWIKI ENTERPRISE 4.2.2" concerning export in html.
I have a fresh installation of Xwiki 4.2-milestone-2. I want to have in space Main a set of "public" pages meaning that can be viewed by un-registerd users and a set of "private" pages that needs to be logged-in to view them. I achieved such a configuration by (starting from the initial configuration) denying View permission for un-registered users at wiki level (hence by default the wiki is private) and granting explicitly, for each page I want to be public, the View permission for un-registered users.
Now, I want to export the space Main in html format. Following the guide at [1], I'm using this URL:
http://<SERVER>/xwiki/bin/export/Main/<PAGE>?format=html&pages=Main.%25
If PAGE=MyPrivatePage (a private page) and I'm not logged-in, the browser redirects me to the login page. Correct.
If PAGE=MyPublicPage (a public page) and I'm not logged-in the export works. Then opening the zip archive returned, I found that it contains also private pages!
In the matter of facts, as un-registered user I did an export of the entire space starting from a page viewable by unregistered users and I obtained in the zip ALL pages including pages that I cannot normally view from the browser.
For what I understood, xwiki checks access rights for PAGE, but if allowed, then the export includes all pages regardless whether the user that is requesting the export can view those pages or not.
Can anybody reproduce this issue? If confirmed I think it is a serious security issue that could be exploited to bypass pages' access rights
Thank you very much,
Gabriele