Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-22736

Title of inaccessible pages available through the class property values REST API

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      1. Create a page named "Page.WebHome" with title "Secret Title".
      2. Restrict view right on this page to admins.
      3. As user without admin right (just view right on generic pages, could be guest), open /xwiki/rest/wikis/xwiki/classes/XWiki.ClassSheetBinding/properties/sheet/values?fp=Page.WebHome&exactMatch=true on your XWiki instance.

      Expected result:

      The title "Secret Title" of the page isn't included in the response.

      Actual result:

      The response includes the full title "Secret Title" of the page, despite the user not having view right on the page.

      Note that there is nothing special about the "XWiki.ClassSheetBinding" class that is exploited here, this works with any class having a page property.

      I reproduced this vulnerability both on a recent development snapshot and on XWiki 10.9 as some of the code that I suspect to be responsible for this has been introduced in XWIKI-15605. I didn't check on older versions.

      Attachments

        Issue Links

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: