Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-8884

Subwiki admin can import as backup a custom xar thus obtaining PR on the imported pages

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      It seem that this issue is reported to have been fixed by XWIKI-4073, but it is still reproducing on recent 5.0-SNAPSHOT versions.

      Basically, if you are a subwiki admin, create a custom xar where you put xwiki:XWiki.Admin as author and import as backup, your imported page will have PR.

      If we put this in the context of workspaces where any user can create a subwiki and thus be made subwiki admin, then the problem is very serious. myxwiki.org (and farms in general) is another example where things can go really bad.

      While attempting to fix this, we should also consider the fact that some features actually rely on this security hole, namely the ability to have legitimate pages that require PR in subwikis.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-4066 Base package in an virtual wiki does not receive programming rights as required

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-4073 Current user should have global admin right to import a backup pack

          • Major - Major loss of function.
          • Closed

          Activity

            People

              tmortagne Thomas Mortagne
              enygma Eduard Moraru
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: