Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-21663

Scheduler in subwiki allows scheduling operations for any main wiki user

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      As a global user without admin right (or any other special right) view the document Scheduler.WebHome in a subwiki. Click on "Unschedule" (or "Schedule" or "Trigger") for any job.

      Expected result:

      No action is performed, and in fact view right is denied.

      Actual result:

      The actions are performed even though the user doesn't have admin right. This shows two problems:

      1. The view protection doesn't work for global users that can access a subwiki.
      2. There is no right check in the scripting API of the scheduler.

      This is (most likely) the case since the introduction of the scheduler in XWiki 1.2M2, the Jira issue for adding the (non-working) protection is XASCH-7.

      CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Score 5.4 (Medium)

      Overall, the impact seems low as nothing dramatic should happen when schedulers are triggered too often. However, this could be used to, e.g., prevent notifications about maliciously changed pages.

      Attachments

        Issue Links

          Activity

            People

              pjeanjean Pierre Jeanjean
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: