Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
8.0-rc-1
-
Unit
-
High
-
Unknown
-
N/A
-
Description
Steps to reproduce
- Disable user registration by removing the register right for guest users
- Log out
- Go to <server>/xwiki/bin/view/XWiki/Admin?xpage=xpart&vm=distribution/firstadminuser.wiki&xwikiname=attacker_view®ister_password=attacker_view®ister2_password=attacker_view
Expected result
Some error message.
Actual result
You are logged in with a new user "attacker_view" and password "attacker_view".
This also bypasses any email verification that is setup. Note that this attack can also be performed on a fully private wiki using the login action similar to XWIKI-19549 but this should be fixed as part of XWIKI-19549.
This issue reproduces on XWiki 8.0 (and current development versions). As XWiki 8.0 is the version where the exploited template has been added as part of XWIKI-13013 so this should be the actual affects version. I assume that this issue does not affect installations using an external authentication system.
Note that while the template includes code to set the newly created user as owner of the current wiki, this only works if the wiki doesn't have an owner yet so the user shouldn't have any extra privileges compared to a regular user (but this is still bad in a public wiki where all users have write access and registration is disabled).
Attachments
Issue Links
- is caused by
-
XWIKI-13013 Create and register a main wiki owner in the DW
- Closed
- links to