Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-9069

Private document name leak in document index

    XMLWordPrintable

Details

    • security, access rights
    • Low
    • Hard
    • N/A
    • N/A

    Description

      The AllDocs page expose the names of all pages (including confidential pages) to all users (including unregistered users).

      XWiki should check that the current user has the "view" right for the returned pages.

      As a temporary workaround the AllDocs page should have the "view" right restricted to the XWikiAllGroup.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-6489 information leak in tag cloud - ignoring access rights

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-16544 Unauthenticated user can retrieve the list of users through getdocuments.vm

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              mleduc Manuel Leduc
              dirk@computer42.org H.-Dirk Schmitt
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: