15 Nov
2009
15 Nov
'09
1:29 p.m.
Yes we should be protected against that.
We also should have ways to limit the rights to insert JS and scripting
in pages based on similar rights are the "programming" rights.
It should be possible to run a wiki where only a certain group of people
is allowed to insert that type of content in pages.
This should be additionally handled at insert time (in addition of
execution time like the programming rights)
We also should be able to list all pages that make use of these advanced
features:
- programming
- scripting
- javascript
Ludovic
Sergiu Dumitriu a écrit :
Hi devs,
Should XWiki protect itself against CSRF? See
http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 and
http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Preven…
for details.
In short: an attacker could use something like:
<img src="http://xwikiserver/bin/save/Some/Document?content=Hacked"/> to
alter the wiki using another user's account. Protection usually involves
embedding tokens in submitted forms and URLs. The good news is that it
can be done transparently using a LGPL tool from OWASP. The bad news is
that it does not protect against attacks from the same wiki, but only
for Cross-Site attacks. And it also breaks direct manipulation using
URLs (as an expert user, I do enter URLs directly instead of clicking
through the interface, and I won't like it if I couldn't do it anymore).
So, WDYT?
--
Ludovic Dubost
Blog: http://blog.ludovic.org/
XWiki: http://www.xwiki.com
Skype: ldubost GTalk: ldubost