On Thu, May 17, 2018 at 10:10 PM, Kwan Kim <[email protected]> wrote: > I am Kwan Kim who works for the Rogosin Institute (medical research company > specialized for Kidney disease in New York) > > Recently we tried to use xwiki as an our wiki server. > > So we configured the xwiki server on Redhat, MySQL & Glassfish environment > and ask vulnerability test team to test. > > However they found several security issues. > > And I am not a expert for the xwiki so I am not sure whether xwiki already > has a solution to fix the issues or not. > > That’s why I would like to ask you about the security features of xwiki. > > This is the security problems which the vulnerability team addressed below: > > 1. Cross Site Scripting (XSS): Script insertion at Name Field in the > registration form. > > When new user register, there is first and last name field. thesis fields > allow javascript code.
It's not very clear to me what this mean. In which context exactly the javascript inserted in the user name is executed ? > > Is there any way we can put the some validation to prevent the javascript > code ? > > > 2. No controls for Account Creation > > The vulnerability test team think it is too easy to create new account > > Is there any way that new account need to get approval from admin user ? Its possible to disable registration and let admins create accounts but I don't think there is any support for admin validation of self registered users (but it's possible I missed it). > > > 3.Site discloses session tokens in multiple locations > > It seems xwiki use session token through URL(GET). The vulnerability test > team suggest to use POST method instead GET. > > Is there any option to use POST method instead of GET method to transmit the > session token information? It's not a really a all or nothing central place so we would need to know where exactly you have this issue to see if there is a way to fix it in a case by case basis. > > > > 4.Username retrieval with no verification > > When the user forget the username, the user can retrieve username with email > address. However it is not sent to email but show in the site. > > The vulnerability test team think the hacker can get the username if they try > many different combination of email. > > Is it possible xwiki only send the username by email instead of showing in > the page ? Would be great if you could create an issue about that on http://jira.xwiki.org. Looks easy to fix, just need to discuss if we should do it or not. On my side I did not know we were displaying the user id in this page and I agree that it's probably not a good idea. > > > > > 5. Password Validation is weak > > It seems xwiki allow weak password to register new user. > > Is it possible to use strong password only when new user registered in xwiki? It's possible to add a lot of constraint in the registration form. See http://extensions.xwiki.org/xwiki/bin/view/Extension/Administration%20Application#HValidationConstraints. > > > > These are the all issue they addressed. > > Please let me know the answer. > > Thank you and have a good day > > Kwan Kim -- Thomas Mortagne
