Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
1.1 M2
Description
Steps to reproduce:
- Ask for a password reset token for any user, let's take "Admin" as example.
- Open /xwiki/bin/view/XWiki/Admin?xpage=xml (view the source if your browser doesn't display it).
Expected result:
The hash of the password reset token isn't in the XML.
Actual result:
The hash of the password reset token is in the XML, for example
<verification>hash:SHA-512:ccf90773077bc908adb04a640be0b8652f1dcc4454786a6da7d60cc569b8bd0f:ddf2b76c10dee1be3232d8bd166392db12d16615ff4da39ab53877e44c868d2b2b3773d88281947c80e605fa925d61baa104df2a035a650fc94d888aef310f9a</verification>
.
This is because the code only removes properties named password and email and nothing else. This affects all password and email properties and is particularly dangerous for passwords that are either not random or not hashed. From what I can see, we have no such fields not named password in XWiki itself outside XWiki.XWikiPreferences which is protected by rights. Therefore, the impact on XWiki itself should be relatively low as account verification and password reset tokens are randomly generated and should thus be hard to brute force, but still it would make such attacks much easier.
I haven't actually tested this with XWiki 1.1 M2, but that's how old the vulnerable code is and it performed the same kind of filtering and `xml.vm` existed, too, so I assume the attack should work on these versions.
Attachments
Issue Links
- links to