[xwiki-devs] [Security] Found important vulnerability in deprecated XML-RPC feature

Hi XWiki users and devs, An important security issue in the XML-RPC module of XWiki (http://extensions.xwiki.org/xwiki/bin/view/Extension/XML-RPC+Integration) was brought to our attention by a community member (thanks Ruben Herold). Specifically if your wiki is available on the internet, it’s possible that an intruder may have had access to local files that can be read by the user under which you’ve started the Servlet Container used for XWiki. Note 1: The issue actually comes from the version of the Apache XMLRPC module we were using (https://ws.apache.org/xmlrpc/). It’s been fixed in the latest version (3.1.3). We were using version 3.1. Note 2: ThE XWiki XMLRPC module has been deprecated for a long time now (was replaced by REST) but it was still enabled till XWiki 7.3M1: * In XWiki 7.3M1 we’ve turned off that feature * In XWiki 7.4M2 we’ve removed it altogether by default We recommend that you either upgrade to XWiki 6.4.7, 7.1.4 or 7.3+ or that you turn-off the XML-RPC feature on your wiki **especially if your wiki is open on the internet**.  Turning it off is easy: edit XWiki’s META-INF/web.xml file and comment out or remove the following sections: ...   <!--filter-mapping>     <filter-name>XWikiXmlRpcContextInitializationFilter</filter-name>     <servlet-name>xmlrpc</servlet-name>     <dispatcher>REQUEST</dispatcher>     <dispatcher>INCLUDE</dispatcher>     <dispatcher>FORWARD</dispatcher>   </filter-mapping—> ...   <!--servlet>     <servlet-name>xmlrpc</servlet-name>     <servlet-class>com.xpn.xwiki.xmlrpc.XWikiXmlRpcServlet</servlet-class>     <init-param>       <description>Sets, whether the servlet supports vendor extensions for XML-RPC.</description>       <param-name>enabledForExtensions</param-name>       <param-value>false</param-value>     </init-param>   </servlet—> ...  <!--servlet-mapping>     <servlet-name>xmlrpc</servlet-name>     <url-pattern>/xmlrpc/*</url-pattern>   </servlet-mapping—> … Sorry for the inconvenience. Thanks -Vincent Massol on behalf of the XWiki Core dev team PS: If you need to discuss more about this security issue we recommend that you use XWiki’s security list, see http://dev.xwiki.org/xwiki/bin/view/Community/MailingLists