Details
-
Bug
-
Resolution: Solved By
-
Blocker
-
7.2-milestone-2
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
Open <xwiki-host>/xwiki/bin/view/Main/Search?sort=score&sortOrder=desc&highlight=true&facet=true&r=1&f_type=OBJECT_PROPERTY&f_locale=en&f_locale=&text=propertyvalue%3Ahash* where <xwiki-host> is the URL of your XWiki installation.
Expected result:
No password hashes are displayed.
Actual result:
The password hashes of all users are displayed.
This allows efficient, offline password cracking attacks against in particular weak passwords. This shouldn't affect wikis that use external authentication (SSO) - however, in many cases, external authentication is used in a combination with local accounts and can be overridden.
From what I can see, this vulnerability has been introduced in XWIKI-8689 as the original Solr indexing code before that change had a check to not to index password properties.
Attachments
Issue Links
- is caused by
-
XWIKI-12380 Add basic support for nested spaces to the Solr Search API
-
- Closed
-
- is related to
-
XWIKI-20371 Solr search disclosed email addresses of users
-
- Closed
-
- links to