On Fri, May 18, 2018 at 10:35 AM, Thomas Mortagne <[email protected] > wrote:
> On Thu, May 17, 2018 at 10:10 PM, Kwan Kim <[email protected]> wrote: > > I am Kwan Kim who works for the Rogosin Institute (medical research > company specialized for Kidney disease in New York) > > > > Recently we tried to use xwiki as an our wiki server. > > > > So we configured the xwiki server on Redhat, MySQL & Glassfish > environment and ask vulnerability test team to test. > > > > However they found several security issues. > > > > And I am not a expert for the xwiki so I am not sure whether xwiki > already has a solution to fix the issues or not. > > > > That’s why I would like to ask you about the security features of xwiki. > > > > This is the security problems which the vulnerability team addressed > below: > > > > 1. Cross Site Scripting (XSS): Script insertion at Name Field in the > registration form. > > > > When new user register, there is first and last name field. thesis > fields allow javascript code. > > It's not very clear to me what this mean. In which context exactly the > javascript inserted in the user name is executed ? > https://jira.xwiki.org/browse/XWIKI-9658 Thanks, Eduard > > > > > Is there any way we can put the some validation to prevent the > javascript code ? > > > > > > 2. No controls for Account Creation > > > > The vulnerability test team think it is too easy to create new account > > > > Is there any way that new account need to get approval from admin user ? > > Its possible to disable registration and let admins create accounts > but I don't think there is any support for admin validation of self > registered users (but it's possible I missed it). > > > > > > > 3.Site discloses session tokens in multiple locations > > > > It seems xwiki use session token through URL(GET). The vulnerability > test team suggest to use POST method instead GET. > > > > Is there any option to use POST method instead of GET method to transmit > the session token information? > > It's not a really a all or nothing central place so we would need to > know where exactly you have this issue to see if there is a way to fix > it in a case by case basis. > > > > > > > > > 4.Username retrieval with no verification > > > > When the user forget the username, the user can retrieve username with > email address. However it is not sent to email but show in the site. > > > > The vulnerability test team think the hacker can get the username if > they try many different combination of email. > > > > Is it possible xwiki only send the username by email instead of showing > in the page ? > > Would be great if you could create an issue about that on > http://jira.xwiki.org. Looks easy to fix, just need to discuss if we > should do it or not. On my side I did not know we were displaying the > user id in this page and I agree that it's probably not a good idea. > > > > > > > > > > > 5. Password Validation is weak > > > > It seems xwiki allow weak password to register new user. > > > > Is it possible to use strong password only when new user registered in > xwiki? > > It's possible to add a lot of constraint in the registration form. See > http://extensions.xwiki.org/xwiki/bin/view/Extension/ > Administration%20Application#HValidationConstraints. > > > > > > > > > These are the all issue they addressed. > > > > Please let me know the answer. > > > > Thank you and have a good day > > > > Kwan Kim > > > > -- > Thomas Mortagne >
