Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Blocker
Fix Version/s: 15.2, 14.10.8
Affects Version/s: 1.8
Component/s: REST
Labels:

Tests:

Integration
Difficulty:
Unknown
Documentation:
https://www.xwiki.org/xwiki/bin/view/Documentation/UserGuide/Features/XWikiRESTfulAPI#HAuthentication
Documentation in Release Notes:
https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/15.2/#HFormtokenrequiredontheRESTAPI and https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/14.10.8/#HIssuesspecificto
Similar issues:

Description

XWiki REST API relies on the session cookie to authenticate and it currently does not perform any kind of check to prevent a CSRF attack.
So it's possible to create a POST request from another website that might change the data.

For example, I might create a fake poll that when submitted by an XWiki.org admin will grant me admin rights by performing a POST request.

Attachments

Issue Links

causes

XWIKI-20876 FormTokenInjectionIT.simpleRESTPost is flickering

Closed

is caused by

XWIKI-3303 Allow application/www-form-urlencoded representation to be sent to REST resources

Closed

links to

Security Advisory

Activity

People

Assignee:: Michael Hamann

Reporter:: Simon Urli

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 15/Sep/22 14:34

Updated:: 10/Jul/23 17:43

Resolved:: 22/Mar/23 13:00

Date of First Response:: 19/Sep/22 10:40 PM