Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
10.9
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
- Create a page named "Page.WebHome" with title "Secret Title".
- Restrict view right on this page to admins.
- As user without admin right (just view right on generic pages, could be guest), open /xwiki/rest/wikis/xwiki/classes/XWiki.ClassSheetBinding/properties/sheet/values?fp=Page.WebHome&exactMatch=true on your XWiki instance.
Expected result:
The title "Secret Title" of the page isn't included in the response.
Actual result:
The response includes the full title "Secret Title" of the page, despite the user not having view right on the page.
Note that there is nothing special about the "XWiki.ClassSheetBinding" class that is exploited here, this works with any class having a page property.
I reproduced this vulnerability both on a recent development snapshot and on XWiki 10.9 as some of the code that I suspect to be responsible for this has been introduced in XWIKI-15605. I didn't check on older versions.
Attachments
Issue Links
- links to