[Question for the xwiki security feature] Hi xwiki security members

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[Question for the xwiki security feature] Hi xwiki security members

Kwan Kim
 I am Kwan Kim who works for the Rogosin Institute (medical research company specialized for Kidney disease in New York)

Recently we tried to use xwiki as an our wiki server.

So we configured the xwiki server on Redhat, MySQL & Glassfish environment and ask vulnerability test team to test.

However they found several security issues.

And I am not a expert for the xwiki so I am not sure whether xwiki already has a solution to fix the issues or not.

That’s why I would like to ask you about the security features of xwiki.

This is the security problems which the vulnerability team addressed below:

1. Cross Site Scripting (XSS): Script insertion at Name Field in the registration form.

When new user register, there is first and last name field. thesis fields allow javascript code.

Is there any way we can put the some validation to prevent the javascript code  ?


2. No controls for Account Creation

The  vulnerability test team think it is too easy to create new account

Is there any way that new account need to get approval from admin user ?


3.Site discloses session tokens in multiple locations

It seems xwiki use session token through URL(GET). The vulnerability test team suggest to use POST method instead GET.

Is there any option to use POST method instead of GET method to transmit the session token information?



4.Username retrieval with no verification

When the user forget the username, the user can retrieve username with email address. However it is not sent to email but show in the site.

The vulnerability test team think the hacker can get the username if they try many different combination of email.

Is it possible xwiki only send the username by email instead of showing in the page ?




5. Password Validation is weak

 It seems xwiki allow weak password to register new user.

Is it possible to use strong password only when new user registered in xwiki?



These are the all issue they addressed.

Please let me know the answer.

Thank you and have a good day

Kwan Kim
Reply | Threaded
Open this post in threaded view
|

Re: [Question for the xwiki security feature] Hi xwiki security members

Thomas Mortagne
Administrator
On Thu, May 17, 2018 at 10:10 PM, Kwan Kim <[hidden email]> wrote:

>  I am Kwan Kim who works for the Rogosin Institute (medical research company specialized for Kidney disease in New York)
>
> Recently we tried to use xwiki as an our wiki server.
>
> So we configured the xwiki server on Redhat, MySQL & Glassfish environment and ask vulnerability test team to test.
>
> However they found several security issues.
>
> And I am not a expert for the xwiki so I am not sure whether xwiki already has a solution to fix the issues or not.
>
> That’s why I would like to ask you about the security features of xwiki.
>
> This is the security problems which the vulnerability team addressed below:
>
> 1. Cross Site Scripting (XSS): Script insertion at Name Field in the registration form.
>
> When new user register, there is first and last name field. thesis fields allow javascript code.

It's not very clear to me what this mean. In which context exactly the
javascript inserted in the user name is executed ?

>
> Is there any way we can put the some validation to prevent the javascript code  ?
>
>
> 2. No controls for Account Creation
>
> The  vulnerability test team think it is too easy to create new account
>
> Is there any way that new account need to get approval from admin user ?

Its possible to disable registration and let admins create accounts
but I don't think there is any support for admin validation of self
registered users (but it's possible I missed it).

>
>
> 3.Site discloses session tokens in multiple locations
>
> It seems xwiki use session token through URL(GET). The vulnerability test team suggest to use POST method instead GET.
>
> Is there any option to use POST method instead of GET method to transmit the session token information?

It's not a really a all or nothing central place so we would need to
know where exactly you have this issue to see if there is a way to fix
it in a case by case basis.

>
>
>
> 4.Username retrieval with no verification
>
> When the user forget the username, the user can retrieve username with email address. However it is not sent to email but show in the site.
>
> The vulnerability test team think the hacker can get the username if they try many different combination of email.
>
> Is it possible xwiki only send the username by email instead of showing in the page ?

Would be great if you could create an issue about that on
http://jira.xwiki.org. Looks easy to fix, just need to discuss if we
should do it or not. On my side I did not know we were displaying the
user id in this page and I agree that it's probably not a good idea.

>
>
>
>
> 5. Password Validation is weak
>
>  It seems xwiki allow weak password to register new user.
>
> Is it possible to use strong password only when new user registered in xwiki?

It's possible to add a lot of constraint in the registration form. See
http://extensions.xwiki.org/xwiki/bin/view/Extension/Administration%20Application#HValidationConstraints.

>
>
>
> These are the all issue they addressed.
>
> Please let me know the answer.
>
> Thank you and have a good day
>
> Kwan Kim



--
Thomas Mortagne
Reply | Threaded
Open this post in threaded view
|

Fwd: [Question for the xwiki security feature] Hi xwiki security members

Adel Atallah
On Fri, May 18, 2018 at 9:35 AM, Thomas Mortagne
<[hidden email]> wrote:

> On Thu, May 17, 2018 at 10:10 PM, Kwan Kim <[hidden email]> wrote:
>>  I am Kwan Kim who works for the Rogosin Institute (medical research company specialized for Kidney disease in New York)
>>
>> Recently we tried to use xwiki as an our wiki server.
>>
>> So we configured the xwiki server on Redhat, MySQL & Glassfish environment and ask vulnerability test team to test.
>>
>> However they found several security issues.
>>
>> And I am not a expert for the xwiki so I am not sure whether xwiki already has a solution to fix the issues or not.
>>
>> That’s why I would like to ask you about the security features of xwiki.
>>
>> This is the security problems which the vulnerability team addressed below:
>>
>> 1. Cross Site Scripting (XSS): Script insertion at Name Field in the registration form.
>>
>> When new user register, there is first and last name field. thesis fields allow javascript code.
>
> It's not very clear to me what this mean. In which context exactly the
> javascript inserted in the user name is executed ?

The inserted javascript can be found on the profile page. See this
screenshot for instance: https://i.imgur.com/NNcSFb0.png
We could either escape HTML tags whenever first name and last name
fields are displayed or we can escape the tags directly when saving
the information on the database (but we'll need to make a migration).

>
>>
>> Is there any way we can put the some validation to prevent the javascript code  ?
>>
>>
>> 2. No controls for Account Creation
>>
>> The  vulnerability test team think it is too easy to create new account
>>
>> Is there any way that new account need to get approval from admin user ?
>
> Its possible to disable registration and let admins create accounts
> but I don't think there is any support for admin validation of self
> registered users (but it's possible I missed it).
>
>>
>>
>> 3.Site discloses session tokens in multiple locations
>>
>> It seems xwiki use session token through URL(GET). The vulnerability test team suggest to use POST method instead GET.
>>
>> Is there any option to use POST method instead of GET method to transmit the session token information?
>
> It's not a really a all or nothing central place so we would need to
> know where exactly you have this issue to see if there is a way to fix
> it in a case by case basis.
>
>>
>>
>>
>> 4.Username retrieval with no verification
>>
>> When the user forget the username, the user can retrieve username with email address. However it is not sent to email but show in the site.
>>
>> The vulnerability test team think the hacker can get the username if they try many different combination of email.
>>
>> Is it possible xwiki only send the username by email instead of showing in the page ?
>
> Would be great if you could create an issue about that on
> http://jira.xwiki.org. Looks easy to fix, just need to discuss if we
> should do it or not. On my side I did not know we were displaying the
> user id in this page and I agree that it's probably not a good idea.
>
>>
>>
>>
>>
>> 5. Password Validation is weak
>>
>>  It seems xwiki allow weak password to register new user.
>>
>> Is it possible to use strong password only when new user registered in xwiki?
>
> It's possible to add a lot of constraint in the registration form. See
> http://extensions.xwiki.org/xwiki/bin/view/Extension/Administration%20Application#HValidationConstraints.
>
>>
>>
>>
>> These are the all issue they addressed.
>>
>> Please let me know the answer.
>>
>> Thank you and have a good day
>>
>> Kwan Kim
>
>
>
> --
> Thomas Mortagne

Thanks for your report Kwan Kim :),
Adel Atallah
Reply | Threaded
Open this post in threaded view
|

Re: [Question for the xwiki security feature] Hi xwiki security members

Paul Libbrecht-2
In reply to this post by Thomas Mortagne
On 18 May 2018, at 9:35, Thomas Mortagne wrote:

> On Thu, May 17, 2018 at 10:10 PM, Kwan Kim <[hidden email]> wrote:
>> 2. No controls for Account Creation
>> The  vulnerability test team think it is too easy to create new account
>> Is there any way that new account need to get approval from admin user ?
> Its possible to disable registration and let admins create accounts
> but I don't think there is any support for admin validation of self
> registered users (but it's possible I missed it).

I think that breaking the activation mail reaches that (e.g. prevent mails, remove the link from the validation mail content) and let admins act after they are requested by email.

paul

signature.asc (523 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Question for the xwiki security feature] Hi xwiki security members

Eduard Moraru
In reply to this post by Thomas Mortagne
On Fri, May 18, 2018 at 10:35 AM, Thomas Mortagne <[hidden email]
> wrote:

> On Thu, May 17, 2018 at 10:10 PM, Kwan Kim <[hidden email]> wrote:
> >  I am Kwan Kim who works for the Rogosin Institute (medical research
> company specialized for Kidney disease in New York)
> >
> > Recently we tried to use xwiki as an our wiki server.
> >
> > So we configured the xwiki server on Redhat, MySQL & Glassfish
> environment and ask vulnerability test team to test.
> >
> > However they found several security issues.
> >
> > And I am not a expert for the xwiki so I am not sure whether xwiki
> already has a solution to fix the issues or not.
> >
> > That’s why I would like to ask you about the security features of xwiki.
> >
> > This is the security problems which the vulnerability team addressed
> below:
> >
> > 1. Cross Site Scripting (XSS): Script insertion at Name Field in the
> registration form.
> >
> > When new user register, there is first and last name field. thesis
> fields allow javascript code.
>
> It's not very clear to me what this mean. In which context exactly the
> javascript inserted in the user name is executed ?
>

https://jira.xwiki.org/browse/XWIKI-9658

Thanks,
Eduard


>
> >
> > Is there any way we can put the some validation to prevent the
> javascript code  ?
> >
> >
> > 2. No controls for Account Creation
> >
> > The  vulnerability test team think it is too easy to create new account
> >
> > Is there any way that new account need to get approval from admin user ?
>
> Its possible to disable registration and let admins create accounts
> but I don't think there is any support for admin validation of self
> registered users (but it's possible I missed it).
>
> >
> >
> > 3.Site discloses session tokens in multiple locations
> >
> > It seems xwiki use session token through URL(GET). The vulnerability
> test team suggest to use POST method instead GET.
> >
> > Is there any option to use POST method instead of GET method to transmit
> the session token information?
>
> It's not a really a all or nothing central place so we would need to
> know where exactly you have this issue to see if there is a way to fix
> it in a case by case basis.
>
> >
> >
> >
> > 4.Username retrieval with no verification
> >
> > When the user forget the username, the user can retrieve username with
> email address. However it is not sent to email but show in the site.
> >
> > The vulnerability test team think the hacker can get the username if
> they try many different combination of email.
> >
> > Is it possible xwiki only send the username by email instead of showing
> in the page ?
>
> Would be great if you could create an issue about that on
> http://jira.xwiki.org. Looks easy to fix, just need to discuss if we
> should do it or not. On my side I did not know we were displaying the
> user id in this page and I agree that it's probably not a good idea.
>
> >
> >
> >
> >
> > 5. Password Validation is weak
> >
> >  It seems xwiki allow weak password to register new user.
> >
> > Is it possible to use strong password only when new user registered in
> xwiki?
>
> It's possible to add a lot of constraint in the registration form. See
> http://extensions.xwiki.org/xwiki/bin/view/Extension/
> Administration%20Application#HValidationConstraints.
>
> >
> >
> >
> > These are the all issue they addressed.
> >
> > Please let me know the answer.
> >
> > Thank you and have a good day
> >
> > Kwan Kim
>
>
>
> --
> Thomas Mortagne
>
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] [Question for the xwiki security feature] Hi xwiki security members

Kwan Kim
In reply to this post by Thomas Mortagne
Hi Thomas

Thanks for the reply.

I was out for a week.

I think I can apply the constraint you suggest during the registration.

Have a good day.

Kwan


> On May 18, 2018, at 3:35 AM, Thomas Mortagne <[hidden email]> wrote:
>
> On Thu, May 17, 2018 at 10:10 PM, Kwan Kim <[hidden email]> wrote:
>> I am Kwan Kim who works for the Rogosin Institute (medical research company specialized for Kidney disease in New York)
>>
>> Recently we tried to use xwiki as an our wiki server.
>>
>> So we configured the xwiki server on Redhat, MySQL & Glassfish environment and ask vulnerability test team to test.
>>
>> However they found several security issues.
>>
>> And I am not a expert for the xwiki so I am not sure whether xwiki already has a solution to fix the issues or not.
>>
>> That’s why I would like to ask you about the security features of xwiki.
>>
>> This is the security problems which the vulnerability team addressed below:
>>
>> 1. Cross Site Scripting (XSS): Script insertion at Name Field in the registration form.
>>
>> When new user register, there is first and last name field. thesis fields allow javascript code.
>
> It's not very clear to me what this mean. In which context exactly the
> javascript inserted in the user name is executed ?
>
>>
>> Is there any way we can put the some validation to prevent the javascript code  ?
>>
>>
>> 2. No controls for Account Creation
>>
>> The  vulnerability test team think it is too easy to create new account
>>
>> Is there any way that new account need to get approval from admin user ?
>
> Its possible to disable registration and let admins create accounts
> but I don't think there is any support for admin validation of self
> registered users (but it's possible I missed it).
>
>>
>>
>> 3.Site discloses session tokens in multiple locations
>>
>> It seems xwiki use session token through URL(GET). The vulnerability test team suggest to use POST method instead GET.
>>
>> Is there any option to use POST method instead of GET method to transmit the session token information?
>
> It's not a really a all or nothing central place so we would need to
> know where exactly you have this issue to see if there is a way to fix
> it in a case by case basis.
>
>>
>>
>>
>> 4.Username retrieval with no verification
>>
>> When the user forget the username, the user can retrieve username with email address. However it is not sent to email but show in the site.
>>
>> The vulnerability test team think the hacker can get the username if they try many different combination of email.
>>
>> Is it possible xwiki only send the username by email instead of showing in the page ?
>
> Would be great if you could create an issue about that on
> https://urldefense.proofpoint.com/v2/url?u=http-3A__jira.xwiki.org&d=DwIFaQ&c=apLCJo22jkVRpFivmRGGHnRn85FoLi_g9mEBSlVKwRY&r=QNivoJyva4O9yhvC1BEmYg&m=uFaDqull3pNGX-StE_2ElE0wnNGe3BEzVQu00tivu9I&s=fSyCzsIVtc3AYU8F-lv0ikk6KM3dVzMx0pMVE98UgD8&e=. Looks easy to fix, just need to discuss if we
> should do it or not. On my side I did not know we were displaying the
> user id in this page and I agree that it's probably not a good idea.
>
>>
>>
>>
>>
>> 5. Password Validation is weak
>>
>> It seems xwiki allow weak password to register new user.
>>
>> Is it possible to use strong password only when new user registered in xwiki?
>
> It's possible to add a lot of constraint in the registration form. See
> https://urldefense.proofpoint.com/v2/url?u=http-3A__extensions.xwiki.org_xwiki_bin_view_Extension_Administration-2520Application-23HValidationConstraints&d=DwIFaQ&c=apLCJo22jkVRpFivmRGGHnRn85FoLi_g9mEBSlVKwRY&r=QNivoJyva4O9yhvC1BEmYg&m=uFaDqull3pNGX-StE_2ElE0wnNGe3BEzVQu00tivu9I&s=cxiLjzu6zBI74zyoal-E3slNfY6uleDZ_-B0dLZgRLo&e=.
>
>>
>>
>>
>> These are the all issue they addressed.
>>
>> Please let me know the answer.
>>
>> Thank you and have a good day
>>
>> Kwan Kim
>
>
>
> --
> Thomas Mortagne