Details
-
Bug
-
Resolution: Fixed
-
Major
-
1.2 M2
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
As a global user without admin right (or any other special right) view the document Scheduler.WebHome in a subwiki. Click on "Unschedule" (or "Schedule" or "Trigger") for any job.
Expected result:
No action is performed, and in fact view right is denied.
Actual result:
The actions are performed even though the user doesn't have admin right. This shows two problems:
- The view protection doesn't work for global users that can access a subwiki.
- There is no right check in the scripting API of the scheduler.
This is (most likely) the case since the introduction of the scheduler in XWiki 1.2M2, the Jira issue for adding the (non-working) protection is XASCH-7.
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Score 5.4 (Medium)
Overall, the impact seems low as nothing dramatic should happen when schedulers are triggered too often. However, this could be used to, e.g., prevent notifications about maliciously changed pages.
Attachments
Issue Links
- is caused by
-
XASCH-7 The application should not offer scheduler operations to users with non-programming rights
- Closed
- links to