Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-8884

Subwiki admin can import as backup a custom xar thus obtaining PR on the imported pages

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      It seem that this issue is reported to have been fixed by XWIKI-4073, but it is still reproducing on recent 5.0-SNAPSHOT versions.

      Basically, if you are a subwiki admin, create a custom xar where you put xwiki:XWiki.Admin as author and import as backup, your imported page will have PR.

      If we put this in the context of workspaces where any user can create a subwiki and thus be made subwiki admin, then the problem is very serious. myxwiki.org (and farms in general) is another example where things can go really bad.

      While attempting to fix this, we should also consider the fact that some features actually rely on this security hole, namely the ability to have legitimate pages that require PR in subwikis.

      Attachments

        1. PR.xar
          1 kB
          Eduard Moraru

        Issue Links

          Activity

            People

              tmortagne Thomas Mortagne
              enygma Eduard Moraru
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: