Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Blocker
Fix Version/s: 14.4.2, 13.10.7, 14.5
Affects Version/s: 12.4
Component/s: Old Core, User - User Profile
Labels:

Development Priority:
High
Difficulty:
Unknown
Documentation:
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p5v9-g8w8-5q4v
Documentation in Release Notes:
N/A
Similar issues:

Description

Steps to reproduce:

Go to <server>/xwiki/bin/view/XWiki/XWikiUserProfileSheet?action=disable&userId=XWiki.Admin&csrf=<token> where <token> is the CSRF token (can be found in the data-xwiki-form-token attribute of the <html> element).
Log in as the admin user.

Expected result:
In the first step, false is displayed and in the second step, the admin user can be normally used.

Actual result:
In the first step, true is displayed and in the second step, the admin user gets the message "Your account has been disabled. Please contact the administrator if you think this is a mistake.".

By replacing disable by enable in the first step, the account can be re-enabled. This has two consequences:

The wiki can be sabotaged by disabling all users.
Disabled users can easily re-enable themselves, at least on wikis that aren't private, I haven't checked if a logged-in user on a private wiki can also re-enable himself.

It is not clear to me if the rights check should have been in the user profile or in the user script server which is why I've added both components.

Attachments

Activity

People

Assignee:: Simon Urli

Reporter:: Michael Hamann

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 03/Jun/22 16:51

Updated:: 21/Nov/22 10:38

Resolved:: 09/Jun/22 12:03

Date of First Response:: 09/Jun/22 11:07 AM