Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19549

Page content, object properties and title leak on fully private wiki with xpages on the login action

    XMLWordPrintable

Details

    • High
    • Unknown
    • N/A

    Description

      Steps to reproduce:

      • Make the wiki fully closed, i.e., check "Prevent unregistered users from viewing pages, regardless of the page rights" and the similar checkbox for editing in the rights administration.
      • Go to <server>/xwiki/bin/login/Main/?xpage=view

      Expected result:

      You are redirected to login.

      Actual result:

      The page including title and content are displayed.

      Note that this applies to any page but no sheets are applied. This also works with xpage=preview and xpage=print.

      This issue most likely affects all versions of XWiki, I was able to reproduce on XWiki Enterprise 1.1.1, the oldest version that has a demo package available.

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-19576 XWikiPreferences vanish on newly created subwikis

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-18602 Dataleak on fully-private Wiki on Delete page

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          links to

          Web Link GitHub Security advisory

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: