22 Feb
2009
22 Feb
'09
12:05 p.m.
Hi,
I just realized, the password recovery function unveils a user's password.
In a wiki with registration, and Email verification, where the XWiki
space must currently be enabled to be viewed by everybdy, this could
be used by spammers(and others who like to collect email addresses) to
harvest email addresses by caling the resetpassword function for every
user they see on the "AllUsers" page.
I'd propose to not show the Email address to which a password reminder is sent.
Henning
--
Henning Sprang
http://www.sprang.de | http://lazyb0y.blogspot.com/
23 Feb
23 Feb
2:08 a.m.
In XWiki 1.8RC1, this "security issue" doesn't seem to be the case by
default.
For one, if you look at the page's Rights
(/xwiki/bin/edit/XWiki/ResetPassword?editor=rights) you'll note that the
XWikiAllGroup is explicitly prevented from editing, as are "Unregistered
Users". This seems to have the side-effect of turning off programming
rights for any logged in users. Thus when any registered or unregistered
user accesses the page, they get this error (including XWiki.Admin)
This page requires programming rights to work, which currently isn't true.
Please notify an administrator of this problem and try
again later.
In fact, I'm not sure what it would take to make the page's rights such that
it has "programming rights." Nor how one could setup a standalone
"Space-based" app that can run by unregisterded users w/o giving unecessary
editing or scripting privileges to those that shouldn't have them -- for
example the "Polls" application that is the topic of another conversation.
Speaking of security, it is unfortunate that an unregistered user can see
script code (e.g. xwiki/bin/view/XWiki/ResetPassword?viewer=code). IMHO,
there should be a separate priv alongside "view/comment/edit/delete/admin"
which should be "codeview" (turn on/off access to seeing code to a
document). It is also unfortunate that a lot of "switches" end up having
security ramifactions rather than being able to set security on the basis of
leading path-components --.e.g. different accesses for xwiki/bin/view than
xwiki/bin/edit . With that model, the &viewer=code argument becomes a
toplevel "directory", e.g. xwiki/bin/codeview/ with it's own access and
priv
capabilities...
Niels
http://nielsmayer.com
On Sun, Feb 22, 2009 at 3:05 AM, Henning Sprang <henning.sprang(a)gmail.com>wrote;wrote:
I just realized, the password recovery function
unveils a user's password.
In a wiki with registration, and Email verification, where the XWiki
space must currently be enabled to be viewed by everybdy, this could
be used by spammers(and others who like to collect email addresses) to
harvest email addresses by caling the resetpassword function for every
user they see on the "AllUsers" page.
I'd propose to not show the Email address to which a password reminder is
sent.
12:20 p.m.
On Mon, Feb 23, 2009 at 2:08 AM, Niels Mayer <nielsmayer(a)gmail.com> wrote:
In XWiki 1.8RC1, this "security issue"
doesn't seem to be the case by
default.
I'll check that.
I realized I wrote a mistake in the first sentence. I didn't see the
problem of code being shown or something like that, but when I call
the resetPassword function,
the system show the _Email_ address of the username for whom I call
the resetpassword.
And because anybody can call this function for any user, as well as,
in the default setting, and for password reset and other things to
work properly, the pages that show all usernames are viewable by
unregistered users, people can harvest email addresses from all users
on the wiki.
But yes, The code viewing and execution stuff is interesting for other
threads I started these days and for the general idea that I usuall
don't like to make the whole XWiki space viewable by unregistered
users.
Henning
12:28 p.m.
Hi Henning,
I think your remark is spot on. I'll check with Sergiu whether this should
be removed (it's quite an easy modification to do).
Actually, right now you can change it by editing the page and
replacing "<tt>${userEmail}</tt>" with "your email
address":
67: #if($mailResult == 0)
68: #info("An e-mail was sent to <tt>${userEmail}</tt>. Please follow
the
instructions in that e-mail to complete the password reset procedure.")
69: #else
Thanks for the hint,
Guillaume
On Mon, Feb 23, 2009 at 12:20 PM, Henning Sprang
<henning.sprang(a)gmail.com>wrote;wrote:
On Mon, Feb 23, 2009 at 2:08 AM, Niels Mayer
<nielsmayer(a)gmail.com> wrote:
--
Guillaume Lerouge
Product Manager - XWiki
Skype ID : wikibc
http://guillaumelerouge.com/
In XWiki 1.8RC1, this "security issue"
doesn't seem to be the case by
default.
I'll check that.
I realized I wrote a mistake in the first sentence. I didn't see the
problem of code being shown or something like that, but when I call
the resetPassword function,
the system show the _Email_ address of the username for whom I call
the resetpassword.
And because anybody can call this function for any user, as well as,
in the default setting, and for password reset and other things to
work properly, the pages that show all usernames are viewable by
unregistered users, people can harvest email addresses from all users
on the wiki.
But yes, The code viewing and execution stuff is interesting for other
threads I started these days and for the general idea that I usuall
don't like to make the whole XWiki space viewable by unregistered
users.
Henning
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
12:53 p.m.
Guillaume Lerouge wrote:
Hi Henning,
I think your remark is spot on. I'll check with Sergiu whether this should
be removed (it's quite an easy modification to do).
Actually, right now you can change it by editing the page and
replacing "<tt>${userEmail}</tt>" with "your email
address":
67: #if($mailResult == 0)
68: #info("An e-mail was sent to <tt>${userEmail}</tt>. Please follow
the
instructions in that e-mail to complete the password reset procedure.")
69: #else
I'm not sure what's the best thing to do. Indeed, this reveals user
emails, but these are already available in the user profiles. On the
other hand, many people change email addresses quite often (or have
several addresses that they use), so if the user forgot the
password/username, it is likely that he forgot which email address was
used there, too, so this points to the right place to look for the email.
What we can do is to display the email address somehow obfuscated,
either css+xml tricks or using a trimmed address, like Google Groups does.
WDYT?
Thanks for the hint,
Guillaume
On Mon, Feb 23, 2009 at 12:20 PM, Henning Sprang
<henning.sprang(a)gmail.com>wrote;wrote:
> On Mon, Feb 23, 2009 at 2:08 AM, Niels Mayer <nielsmayer(a)gmail.com> wrote:
>> In XWiki 1.8RC1, this "security issue" doesn't seem to be the case
by
>> default.
> I'll check that.
>
> I realized I wrote a mistake in the first sentence. I didn't see the
> problem of code being shown or something like that, but when I call
> the resetPassword function,
> the system show the _Email_ address of the username for whom I call
> the resetpassword.
>
> And because anybody can call this function for any user, as well as,
> in the default setting, and for password reset and other things to
> work properly, the pages that show all usernames are viewable by
> unregistered users, people can harvest email addresses from all users
> on the wiki.
>
> But yes, The code viewing and execution stuff is interesting for other
> threads I started these days and for the general idea that I usuall
> don't like to make the whole XWiki space viewable by unregistered
> users.
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
1:05 p.m.
Hi,
On Mon, Feb 23, 2009 at 12:53 PM, Sergiu Dumitriu <sergiu(a)xwiki.com> wrote:
--
Guillaume Lerouge
Product Manager - XWiki
Skype ID : wikibc
http://guillaumelerouge.com/
Guillaume Lerouge wrote:
Indeed, showing the first 5 chars + domain name could be ok, like :
guillaume(a)xwiki.com => guill...(a)xwiki.com
Or even limiting to the domain name, like: "your password has been sent to
your @xwiki.com email account".
WDYT?
Guillaume
Hi Henning,
I think your remark is spot on. I'll check with Sergiu whether this
should
be removed (it's quite an easy modification
to do).
Actually, right now you can change it by editing the page and
replacing "<tt>${userEmail}</tt>" with "your email
address":
67: #if($mailResult == 0)
68: #info("An e-mail was sent to <tt>${userEmail}</tt>. Please follow
the
instructions in that e-mail to complete the password reset procedure.")
69: #else
I'm not sure what's the best thing to do. Indeed, this reveals user
emails, but these are already available in the user profiles. On the
other hand, many people change email addresses quite often (or have
several addresses that they use), so if the user forgot the
password/username, it is likely that he forgot which email address was
used there, too, so this points to the right place to look for the email.
What we can do is to display the email address somehow obfuscated,
either css+xml tricks or using a trimmed address, like Google Groups does.
WDYT? Thanks for the hint,
Guillaume
On Mon, Feb 23, 2009 at 12:20 PM, Henning Sprang
<henning.sprang(a)gmail.com>wrote;wrote:
> On Mon, Feb 23, 2009 at 2:08 AM, Niels Mayer <nielsmayer(a)gmail.com>
wrote:
>> In XWiki 1.8RC1, this "security
issue" doesn't seem to be the case by
>> default.
> I'll check that.
>
> I realized I wrote a mistake in the first sentence. I didn't see the
> problem of code being shown or something like that, but when I call
> the resetPassword function,
> the system show the _Email_ address of the username for whom I call
> the resetpassword.
>
> And because anybody can call this function for any user, as well as,
> in the default setting, and for password reset and other things to
> work properly, the pages that show all usernames are viewable by
> unregistered users, people can harvest email addresses from all users
> on the wiki.
>
> But yes, The code viewing and execution stuff is interesting for other
> threads I started these days and for the general idea that I usuall
> don't like to make the whole XWiki space viewable by unregistered
> users.
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
25 Feb
25 Feb
1:01 p.m.
On Mon, Feb 23, 2009 at 1:05 PM, Guillaume Lerouge <guillaume(a)xwiki.com> wrote:
Indeed, showing the first 5 chars + domain name could
be ok, like :
guillaume(a)xwiki.com => guill...(a)xwiki.com
Or even limiting to the domain name, like: "your password has been sent to
your @xwiki.com email account".
WDYT?
Maybe that would be acceptable.
Usually, by all means of classic security measures in information
systems I ever read and heard, Emails should not be shown - as well as
a list of all users in a wiki whould not be shown unless users accept
explicitly to be listed.
A user who forgot on which Mail account he has registered should
either have to check all his 3 or 100 accounts, or he's lost anyway if
the mail account is already dumped, then he has to create a new wiki
login anyway.
Sure these things are more important in partly closed and private wiki
as I am going to use it for, and less for closed wikis, but xWiki is
an enterprise wiki, which is most often closed for many but a limited
amount of people.
Wikipedia is a total different environment - but for a wiki like this,
many people rather use mediawiki...
Henning
5735
days inactive
5738
days old
6 comments
4 participants
participants (4)
-
Guillaume Lerouge -
Henning Sprang -
Niels Mayer -
Sergiu Dumitriu