Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-9541

Disable Exceptions viewed for public

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Unresolved
    • Major
    • None
    • 5.1
    • Display
    • None
    • Unknown

    Description

      hi,

      we have an xwiki for publci documentation running. Since some month there is an company that does security scans for us called whitehat. They give us informations about xss and so on. The found some Vulnerability Class
      Information Leakage, all exceptions will be display to all public users.

      Example:

      http://www.xwiki.org/xwiki/bin/skin/resources/uicomponents/pagination/pagination.css/%22whscheck=%22whscheck

      or
      http://www.xwiki.org/xwiki/bin/skin/resources/uicomponents/container/columns.css/%22whscheck=%22whscheck?columns=2

      If found no setting that help me to prevent viewing this exception to public users.

      It would be a better solution to tell the user that there was an error and display an reference code to the user. So that the public user can send this reference code to the admin and the admin can take a look into the logs / database or wherever the exeption is saved.

      Attachments

        Activity

          People

            Unassigned Unassigned
            ruben.herold Ruben Herold
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: