Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-23875

Livetable results still allow reconstructing password hashes using 768 requests

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      Open /xwiki/bin/get/XWiki/LiveTableResults?outputSyntax=plain&password_class=XWiki.XWikiUsers&collist=password&password=hash:SHA-512:c

      Modify the filter as explained in XWIKI-19949 to recover the full password hash.

      Expected result:

      Results aren't filtered by the password column, so all documents are returned.

      Actual result:

      The filter is applied as the check added for fixing XWIKI-19949 doesn't consider the class passed via the _class parameters.

      I've indicated the same affects version as XWIKI-19949.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-19949 Livetable results allow reconstructing password hashes using 768 requests

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          links to

          Web Link Security Advisory

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: