Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19291

XSS in register page when guest users don't have view rights

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      Reproduction steps:

      • Go in Administration > Rights and check "Prevent unregistered users from viewing pages, regardless of the page rights"
      • Go to URL such as
      http://localhost:8080/xwiki/bin/register/XWiki/XWikiRegister?xredirect=%2fbin%2flogin%2fXWiki%2fXWikiLogin%3fsrid%3dyJi2Etxt%26xredirect%3d%252Fbin%252Fview%252FMain%252F%253Fsrid%253DyJi2Etxtc29tl%22%3e%3cscript%3ealert(1)%3c%2fscript%3ey9vgc

      Expected result:

      • the registration page is displayed and nothing happens

      Obtained result:

      • the registration page is displayed but an alert appear

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-21510 No feedback on registration form in close wiki

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. XWIKI-5756 Add support for redirect in the register action

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed
          links to

          Web Link Github Security advisory

          Activity

            People

              surli Simon Urli
              surli Simon Urli
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: