Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19999

Livetable results allow reconstructing title, content and object fields of inaccessible documents with many requests



    • Unknown
    • N/A
    • N/A


      Steps to Reproduce:

      1. Restrict "view" access to Sandbox.TestPage3 by setting an explicit view right for admins
      2. As a user who is not an admin, open <server>/bin/get/XWiki/LiveTableResults?outputSyntax=plain&classname=&collist=doc.title%2Cdoc.location%2Cdoc.content&doc.title=Sandbo&doc.location=Sandbox.TestPage3&doc.content=dummy&limit=0 where <server> is the URL of your XWiki installation.

      Expect Result:

      No results are displayed as the user doesn't have view rights on Sandbox.TestPage3.

      Actual Result:

      The result


      is displayed.

      This reveals that a document Sandbox.TestPage3 exists (we explicitly searched for this name) which has a title containing "Sandbo" and a content containing "dummy". By starting with a single letter and then iteratively extending the match, the full content of the title/content or XObject properties can be discovered. Several tests can be combined in a single request to use binary search to narrow down the actual match from a list of possible characters/words. If the used alphabet is known and smaller than 128 distinct characters, it is possible to discover one character with 7 requests. Alternatively, frequencies of words and word pairs (2-gram frequencies) can be used to first guess whole words and only resort to guessing individual characters if none of the predicted words match, allowing a much faster recovery of the textual content. As it also depends on the content how easy the attack is and how much recovered content would be a "successful" attack, it is hard to quantify how many requests are necessary.

      The issue has been reproduced on 14.5 but is most likely older.


        Issue Links



              mleduc Manuel Leduc
              MichaelHamann Michael Hamann
              0 Vote for this issue
              1 Start watching this issue