Details
-
Bug
-
Resolution: Won't Fix
-
Major
-
None
-
2.0.2, 2.5.1
-
guest, register
-
Unknown
-
N/A
-
N/A
-
Description
To reproduce: on a default distribution, the .zip with hsql / jetty
- go to the registration page
- register a user named XWikiGuest
- now refresh, DON'T log in with this user, you should now see "Add" menu, "Edit" menus for the page etc. The XWiki.XWikiAllGroup will contain XWiki.XWikiGuest in there, therefore giving all the rights of the registered users to guest.
This is already an issue because anonymous users can do stuff (with XWikiGuest) and it's not a good idea.
This is a security issue when activation of users is controlled by wiki admins or such, in which case the intruder can get the rights of registered users immediately, without being approved.
I managed to reproduce it on a 2.6 snapshot and a 2.0.2 so I would assume that it reproduces for all the versions in the mean time.
Attachments
Issue Links
- is duplicated by
-
XAADMINISTRATION-148 User can create an interesting situation by registering username XWikiGuest
- Closed