Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-18851

Unauthenticated user can retrieve user information through getdeleteddocuments.vm

    XMLWordPrintable

    Details

    • Development Priority:
      High
    • Difficulty:
      Unknown
    • Documentation:
      N/A
    • Documentation in Release Notes:
      N/A
    • Similar issues:

      Description

      An unauthenticated user can user information through a public accessible URL.

      Reproducing steps:
      Navigate to :

      http://<server>/bin/login/XWikiLogin?xpage=getdeleteddocuments&limit=10000
      

      Results:

      • getdeleteddocuments gives access to creator reference and fullname of every deleted documents and documents fullname and reference even if they are not accessible

      Expected Results:

      • User fullname and documents fullname should not be accessible to anyone who don't have corresponding rights

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mleduc Manuel Leduc
              Reporter:
              gcoquard Guillaume COQUARD
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response: