13 May
2013
13 May
'13
6:50 p.m.
On 05/13/2013 12:47 PM, Thomas Delafosse wrote:
On Mon, May 13, 2013 at 6:24 PM, Sergiu Dumitriu
<sergiu(a)xwiki.org> wrote:
Agreed.
On 05/13/2013 12:13 PM, Thomas Delafosse wrote:
You are right, there is currently ways to workaround this check. But I hope
that with Andreas' branch it would be harder to find such leaks, and anyway
it makes this attack available only to attackers having found these leaks.
Even if this is not perfect, I feel more comfortable this way.
I think it's more secure to let it be used
only on the current user
profile
page. Otherwise we can imagine an attacker
creating a page where this
check
is performed against the current user, enabling
him to gain information
about the users visiting this page.
(For example he could do something like
#foreach($passwd in $passwdList)
#if($xwiki.getUser().checkPassword($passwd))
Store this information somewhere (in another doc, in an object, or
even by sending me a mail)
#end
#end)
This can still be done "apparently" in the context of the profile
document using, for example, something like XWIKI-8885. This is just
another inefficient hoop through which we force motivated attackers to
go through, but which doesn't fix the security issue.
On the other hand, it restricts its usage to just one specific purpose,
that of changing the password, when it could serve other useful (future)
scenarios, like confirming some dangerous changes (signing a script,
installing a XAR as backup package, permanently emptying the trash bins).
I agree, it could be useful to check the password at some other points. So
what we could do is allow public check only from the user's profile page,
and PR check from any page. The issue with the change of password is that
the template doesn't have PR, but I guess that in the scenarios you
mention, this would be done from a normal wiki page, and thus we could ask
this page to have PR. What do you think ?
>
>> And I don't think that users with PR need to be able to make this check
> on
>> any user (and if they need they can still perform it through the core),
> so
>> I prefer to keep it this way.
>
> Agreed.
>
>> Cheers,
>>
>> Thomas
>>
>>
>> On Mon, May 13, 2013 at 5:42 PM, Sergiu Dumitriu <sergiu(a)xwiki.org>
> wrote:
>>
>>> On 05/06/2013 09:44 AM, Thomas Delafosse wrote:
>>>> Hi all,
>>>>
>>>> After discussing it with Vincent, it seems that it would be better
> to
>>>> be able to access this method without PR : thus we could keep the code
>>> for
>>>> changing the password in passwd.vm instead of having to make a new page
>>>> with PR for that. To avoid malicious users to use it nonetheless, I
>>> propose
>>>> that this method could only be used to check the current user password,
>>> and
>>>> only on its profile page.
>>>> Does this seems OK to you, or do you think this should be done another
>>> way ?
>>>
>>> Why only on the user's profile page?
>>>
>>> The method could allow public check only for the current user, and PR
>>> check for any user.
>
--
Sergiu Dumitriu
http://purl.org/net/sergiu