Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-5650

Registering a user as XWiki.XWikiGuest automatically gives AllGroup rights to unauthenticated users

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Fix
    • Major
    • None
    • 2.0.2, 2.5.1
    • Old Core
    • guest, register
    • Unknown
    • N/A
    • N/A

    Description

      To reproduce: on a default distribution, the .zip with hsql / jetty

      • go to the registration page
      • register a user named XWikiGuest
      • now refresh, DON'T log in with this user, you should now see "Add" menu, "Edit" menus for the page etc. The XWiki.XWikiAllGroup will contain XWiki.XWikiGuest in there, therefore giving all the rights of the registered users to guest.

      This is already an issue because anonymous users can do stuff (with XWikiGuest) and it's not a good idea.

      This is a security issue when activation of users is controlled by wiki admins or such, in which case the intruder can get the rights of registered users immediately, without being approved.

      I managed to reproduce it on a 2.6 snapshot and a 2.0.2 so I would assume that it reproduces for all the versions in the mean time.

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. XAADMINISTRATION-148 User can create an interesting situation by registering username XWikiGuest

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              softec Denis Gervalle
              lucaa Anca Luca
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: