Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19852

Users can be created even when registration is disabled without validation via the template macro

    XMLWordPrintable

Details

    • High
    • Unknown
    • N/A

    Description

      Steps to reproduce:

      1. On a wiki with view rights for guests but user registration disabled, open as guest <server>/xwiki/bin/view/Main?sheet=CKEditor.HTMLConverter&language=en&sourceSyntax=xwiki%2F2.1&stripHTMLEnvelope=true&fromHTML=false&toHTML=true&text=%7B%7Btemplate+name%3D%22distribution%2Ffirstadminuser.wiki%22+%2F%7D%7D where <server> is the URL of your XWiki installation.
      2. Enter username and password of your choice.
      3. Click "Register and login"

      Expected result:
      An error is displayed that registration is disabled/the distribution wizard cannot be executed.

      Actual result:
      You are logged in with the chosen login data. Note that also the user validation is skipped.

      This is exploiting the same vulnerable template as XWIKI-19558 but via a different attack vector that I didn't know/expect when I reported and fixed that issue.

      Attachments

        Issue Links

          depends on

          New Feature - A new feature of the product, which has yet to be developed. XWIKI-20400 Add support for expressing requirements in template properties

          • Major - Major loss of function.
          • Closed
          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. XWIKI-13013 Create and register a main wiki owner in the DW

          • Major - Major loss of function.
          • Closed

          Activity

            People

              tmortagne Thomas Mortagne
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: