xwiki-devs

xwiki-devs@xwiki.org

9400 discussions

[xwiki-devs] [Security] Found important vulnerability in deprecated XML-RPC feature

by vincent＠massol.net

Hi XWiki users and devs, An important security issue in the XML-RPC module of XWiki (http://extensions.xwiki.org/xwiki/bin/view/Extension/XML-RPC+Integration) was brought to our attention by a community member (thanks Ruben Herold). Specifically if your wiki is available on the internet, it’s possible that an intruder may have had access to local files that can be read by the user under which you’ve started the Servlet Container used for XWiki. Note 1: The issue actually comes from the version of the Apache XMLRPC module we were using (https://ws.apache.org/xmlrpc/). It’s been fixed in the latest version (3.1.3). We were using version 3.1. Note 2: ThE XWiki XMLRPC module has been deprecated for a long time now (was replaced by REST) but it was still enabled till XWiki 7.3M1: * In XWiki 7.3M1 we’ve turned off that feature * In XWiki 7.4M2 we’ve removed it altogether by default We recommend that you either upgrade to XWiki 6.4.7, 7.1.4 or 7.3+ or that you turn-off the XML-RPC feature on your wiki **especially if your wiki is open on the internet**. Turning it off is easy: edit XWiki’s META-INF/web.xml file and comment out or remove the following sections: ... <!--filter-mapping> <filter-name>XWikiXmlRpcContextInitializationFilter</filter-name> <servlet-name>xmlrpc</servlet-name> <dispatcher>REQUEST</dispatcher> <dispatcher>INCLUDE</dispatcher> <dispatcher>FORWARD</dispatcher> </filter-mapping—> ... <!--servlet> <servlet-name>xmlrpc</servlet-name> <servlet-class>com.xpn.xwiki.xmlrpc.XWikiXmlRpcServlet</servlet-class> <init-param> <description>Sets, whether the servlet supports vendor extensions for XML-RPC.</description> <param-name>enabledForExtensions</param-name> <param-value>false</param-value> </init-param> </servlet—> ... <!--servlet-mapping> <servlet-name>xmlrpc</servlet-name> <url-pattern>/xmlrpc/*</url-pattern> </servlet-mapping—> … Sorry for the inconvenience. Thanks -Vincent Massol on behalf of the XWiki Core dev team PS: If you need to discuss more about this security issue we recommend that you use XWiki’s security list, see http://dev.xwiki.org/xwiki/bin/view/Community/MailingLists

9 years

[xwiki-devs] [ANN] XWiki 7.1.4 released

by Ecaterina Moraru (Valica)

The XWiki development team is proud to announce the availability of XWiki 7.1.4. This is a bugfix release that fixes important bugs discovered in the 7.1.3 version. We also retired the XML-RPC Integration since it led to security vulnerabilities. You can download it using these links: JAR: http://download.forge.ow2.org/xwiki/xwiki-enterprise-installer-generic-7.1.… EXE: http://download.forge.ow2.org/xwiki/xwiki-enterprise-installer-windows-7.1.… ZIP: http://download.forge.ow2.org/xwiki/xwiki-enterprise-jetty-hsqldb-7.1.4.zip WAR: http://download.forge.ow2.org/xwiki/xwiki-enterprise-web-7.1.4.war XAR: http://download.forge.ow2.org/xwiki/xwiki-enterprise-ui-mainwiki-all-7.1.4.… Make sure to review the release notes: http://www.xwiki.org/xwiki/bin/view/ReleaseNotes/ReleaseNotesXWiki714 The following people have contributed code to this release (sorted alphabetically): Ecaterina Moraru (Valica) Eduard Moraru Marius Dumitru Florea Thomas Mortagne Vincent Massol Thanks for your support -The XWiki dev team

9 years

[xwiki-devs] [ANN] XWiki 6.4.7 released

by vincent＠massol.net

The XWiki Core Development team is proud to announce the availability of XWiki 6.4.7. This is a bugfix release that fixes important bugs discovered in the 6.4.6 version. We also retired the XML-RPC Integration> (http://extensions.xwiki.org/xwiki/bin/view/Extension/XML-RPC+Integration) since it led to security vulnerabilities. We highly recommend upgrading (or turn off the XML-RPC feature, see http://extensions.xwiki.org/xwiki/bin/view/Extension/XML-RPC+Integration), especially if your wiki is open on the Internet. You can download it here: http://www.xwiki.org/xwiki/bin/view/Main/Download Make sure to review the release notes: http://www.xwiki.org/xwiki/bin/view/ReleaseNotes/ReleaseNotesXWiki647 The following people have contributed code to this release (sorted alphabetically): Marius Dumitru Florea Denis Gervalle Vincent Massol Eduard Moraru Thomas Mortagne Thanks for your support -The XWiki Core dev team

9 years

[xwiki-devs] [ANN] XWiki 7.4 Milestone 2 released

by Guillaume "Louis-Marie" Delhumeau

The XWiki development team is proud to announce the availability of XWiki 7.4 Milestone 2. This is our last stabilization branch for the XWiki 7.x Cycle. It brings polishing and stabilization for the Nested Pages feature and the changes in UI that resulted from it. It is now possible to have template hierarchies, and to add an automatic redirect when a page is renamed. You can download it here: http://www.xwiki.org/xwiki/bin/view/Main/Download Make sure to review the release notes: http://www.xwiki.org/xwiki/bin/view/ReleaseNotes/ReleaseNotesXWiki74M2 The following people have contributed code to this release (sorted alphabetically): Guillaume Delhumeau Sergiu Dumitriu Marius Dumitru Florea Vincent Massol Eduard Moraru Thomas Mortagne Manuel Smeria Thanks for your support -The XWiki dev team

9 years

[xwiki-devs] [Contrib] Create Jira project for XWiki Multipage PDF Export

by Manuel Smeria

Hello devs, Can someone create a Jira project for the XWiki Multipage PDF Export? This is its page on the Extensions wiki: http://extensions.xwiki.org/xwiki/bin/view/Extension/Multipage+PDF+Export The application doesn't seem to be compatible with XWiki 7.1.3. Thanks, Manuel

9 years

[xwiki-devs] No answer on xwiki-users

by Olaf Radicke

Hi, I know that is not the mailing list of the users, but I have the same question as this posting: http://lists.xwiki.org/pipermail/users/2014-September/029114.html Only difference is, I'm using version 7.3 of XWiki. Has been this issue answers? Thank you, Olaf (Germany, Augsburg)

9 years

[xwiki-devs] [ANN] New extension that ease adding properties to the wiki descriptor from velocity

by Denis Gervalle

Hi devs, I have just released the first version of api-wiki-customproperties, a new extension that provides a scripting API to access and manager generic custom properties in wiki descriptors. You can get quick overview of it from the extension page at http://extensions.xwiki.org/xwiki/bin/view/Extension/Wiki+Custom+Properties… I hope you will find this new API useful for your projects. Please, could someone with enough privileges create a new JIRA project for this extension. Thanks, -- Denis Gervalle SOFTEC sa - CEO

9 years

[xwiki-devs] [Proposal] Remove TinyMCE files from the XWiki WAR

by vincent＠massol.net

Hi devs, Here’s what I commented on https://github.com/xwiki/xwiki-platform/pull/307 : “ Thanks Pascal. I've just noticed that we still bundle TinyMCE in XWiki's WAR. It was probably left for backward compatibility but since it's been like 6-7 years that we've dropped it, I believe we could vote about dropping it from our sources and if someone really needs it they'll still be able to manually install them in their wikis. I'll follow up on the devs list, thanks. “ WDYT? Are you ok to remove it? Thanks -Vincent

9 years

[xwiki-devs] [Proposal] Put the "Search" icon to the left of the "Watchlist" icon in the top menu

by Guillaume Lerouge

Hi Devs, a minor suggestion after trying a 7.4 snapshot locally: shouldn't we put the search icon before the watchlist icon? Right now clicking the search icon moves the watchlist icon laterally, which is a bit surprising => if the search icon was leftmost, this would not be a problem. WDYT? Thanks, Guillaume

9 years

[xwiki-devs] [Idea] Rewrite Activity Stream + Stats using Elastic Search

by vincent＠massol.net

Hi devs, I think that for data that are both not critical and high volume we should use ElasticSearch instead of saving them in our RDBMS. So the idea would be to have an embedded ES in XWiki by default (using the permanent directory to store its data) and admins could configure XWiki to use a separate ES instance (very similar to what we do with SOLR). Whenever a user modifies/creates/deletes/does operations on XObjects/etc, this is sent to ES. The AS UI queries ES to display the data. The Stats UI does the same. Pros: - scalability - performance - extensibility. It’s easy to evolve the schema in ES, and we can easily have several formats (as was proven by the Active Installs code) I’d like to start a POC in my “free” time. WDYT? Thanks -Vincent

9 years

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

xwiki-devs