Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-7351

Unable to save a Skin with an override of header.vm when behind a NETASQ firewall

    XMLWordPrintable

Details

    • Bug
    • Resolution: Cannot Reproduce
    • Major
    • None
    • 3.1
    • Security
    • Very hard
    • N/A
    • N/A

    Description

      This issue was reported by Vincent Colas, system administrator at ARCNAM Poitou-Charentes. He is located at the Universite de Poitiers - Sciences Fondamentales et Appliquées, and he is behind a firewall made by NETASQ (http://www.netasq.com/fr/produits-services/reseau.php).

      On their side, the skin has a field containing the header.vm override to provide a slideshow header. When he modified this field of the skin, even by just adding a space or a comment, and only when this field has been modified, the firewall prevent the save action to be passed over. The browser either wait indefinitely on the ajax request or a return a blank page if it was a save and view.

      The firewall report a XSS issue, an issue that many other CMS has and has fixed in the paste. The firewall provide the list of many concerned product: https://www.netasq.com/securitykb/fr/09ed8e1d1fb04bd7.html
      Therefore, M. Colas kindly inform us of the issue to have it fixed.

      I join to this issue:

      • the content of the header.vm field
      • the screenshot of the NETASQ report

      Attachments

        1. header.vm
          4 kB
          Denis Gervalle
        2. netasq.jpeg
          314 kB
          Denis Gervalle

        Activity

          People

            mleduc Manuel Leduc
            softec Denis Gervalle
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: