[Question for the xwiki security feature] Hi xwiki security members

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[Question for the xwiki security feature] Hi xwiki security members

Kwan Kim
I am Kwan Kim who works for the Rogosin Institute (medical research company specialized for Kidney disease in New York)

Recently we tried to use xwiki as an our wiki server.

So we configured the xwiki server on Redhat, MySQL & Glassfish environment and ask vulnerability test team to test.

However they found several security issues.

And I am not a expert for the xwiki so I am not sure whether xwiki already has a solution to fix the issues or not.

That’s why I would like to ask you about the security features of xwiki.

This is the security problems which the vulnerability team addressed below:

1. Cross Site Scripting (XSS): Script insertion at Name Field in the registration form.

When new user register, there is first and last name field. thesis fields allow javascript code.

Is there any way we can put the some validation to prevent the javascript code  ?

[cid:[hidden email]]
2. No controls for Account Creation

The  vulnerability test team think it is too easy to create new account

Is there any way that new account need to get approval from admin user ?


3.Site discloses session tokens in multiple locations

It seems xwiki use session token through URL(GET). The vulnerability test team suggest to use POST method instead GET.

Is there any option to use POST method instead of GET method to transmit the session token information?

[cid:[hidden email]]

4.Username retrieval with no verification

When the user forget the username, the user can retrieve username with email address. However it is not sent to email but show in the site.

The vulnerability test team think the hacker can get the username if they try many different combination of email.

Is it possible xwiki only send the username by email instead of showing in the page ?


[cid:[hidden email]]

5. Password Validation is weak

 It seems xwiki allow weak password to register new user.

Is it possible to use strong password only when new user registered in xwiki?


[cid:[hidden email]]
These are the all issue they addressed.

Please let me know the answer.

Thank you and have a good day

Kwan Kim

Screen Shot 2018-05-17 at 11.22.24 AM.png (113K) Download Attachment
Screen Shot 2018-05-17 at 11.33.06 AM.png (211K) Download Attachment
Screen Shot 2018-05-17 at 2.12.45 PM.png (191K) Download Attachment
Screen Shot 2018-05-17 at 2.18.04 PM.png (168K) Download Attachment