17 Dec
2015
17 Dec
'15
5:04 p.m.
On 17 Dec 2015 at 14:17:02, vincent(a)massol.net
(vincent@massol.net(mailto:vincent@massol.net)) wrote:
Hi XWiki users and devs,
An important security issue in the XML-RPC module of XWiki
(http://extensions.xwiki.org/xwiki/bin/view/Extension/XML-RPC+Integration) was brought to
our attention by a community member (thanks Ruben Herold). Specifically if your wiki is
available on the internet, it’s possible that an intruder may have had access to local
files that can be read by the user under which you’ve started the Servlet Container used
for XWiki.
Note 1: The issue actually comes from the version of the Apache XMLRPC module we were
using (https://ws.apache.org/xmlrpc/). It’s been fixed in the latest version (3.1.3). We
were using version 3.1.
Note 2: ThE XWiki XMLRPC module has been deprecated for a long time now (was replaced by
REST) but it was still enabled till XWiki 7.3M1:
* In XWiki 7.3M1 we’ve turned off that feature
* In XWiki 7.4M2 we’ve removed it altogether by default
We recommend that you either upgrade to XWiki 6.4.7, 7.1.4 or 7.3+ or that you turn-off
the XML-RPC feature on your wiki **especially if your wiki is open on the internet**.
Turning it off is easy: edit XWiki’s META-INF/web.xml file and comment out or remove the
following sections:
Correction:
it’s WEB-INF/web.xml
Thanks
-Vincent
...