Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-23151

PDF export jobs store sensitive cookies unencrypted in job statuses

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      1. As admin, perform a PDF export
      2. Examine the most recent job status file in data/jobs/status/3/export/pdf/ (in XWiki < 17.2.0/16.10.6 without the 3 in the path)

      Expected result:

      There isn't any sensitive data in the job status.

      Actual result:

      The job status contains all cookies that were sent by the user's browser including the encrypted username and password. As the encryption key is stored in the same data directory (by default it is generated in data/configuration.properties), this means that this job status contains the equivalent of the plain text password of the user who requested the PDF export.

      This is a security issue as XWiki shouldn't store passwords in plain text/it shouldn't be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory.

      Attachments

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. XWIKI-19270 Add support for performing the PDF export using a browser running in a Docker container

          • Major - Major loss of function.
          • Closed
          links to

          Web Link Security Advisory

          Web Link Security Advisory Application Entry

          Activity

            People

              mflorea Marius Dumitru Florea
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: