Hi Thomas Thanks for the reply.
I was out for a week. I think I can apply the constraint you suggest during the registration. Have a good day. Kwan > On May 18, 2018, at 3:35 AM, Thomas Mortagne <thomas.morta...@xwiki.com> > wrote: > > On Thu, May 17, 2018 at 10:10 PM, Kwan Kim <kwk9...@nyp.org> wrote: >> I am Kwan Kim who works for the Rogosin Institute (medical research company >> specialized for Kidney disease in New York) >> >> Recently we tried to use xwiki as an our wiki server. >> >> So we configured the xwiki server on Redhat, MySQL & Glassfish environment >> and ask vulnerability test team to test. >> >> However they found several security issues. >> >> And I am not a expert for the xwiki so I am not sure whether xwiki already >> has a solution to fix the issues or not. >> >> That’s why I would like to ask you about the security features of xwiki. >> >> This is the security problems which the vulnerability team addressed below: >> >> 1. Cross Site Scripting (XSS): Script insertion at Name Field in the >> registration form. >> >> When new user register, there is first and last name field. thesis fields >> allow javascript code. > > It's not very clear to me what this mean. In which context exactly the > javascript inserted in the user name is executed ? > >> >> Is there any way we can put the some validation to prevent the javascript >> code ? >> >> >> 2. No controls for Account Creation >> >> The vulnerability test team think it is too easy to create new account >> >> Is there any way that new account need to get approval from admin user ? > > Its possible to disable registration and let admins create accounts > but I don't think there is any support for admin validation of self > registered users (but it's possible I missed it). > >> >> >> 3.Site discloses session tokens in multiple locations >> >> It seems xwiki use session token through URL(GET). The vulnerability test >> team suggest to use POST method instead GET. >> >> Is there any option to use POST method instead of GET method to transmit the >> session token information? > > It's not a really a all or nothing central place so we would need to > know where exactly you have this issue to see if there is a way to fix > it in a case by case basis. > >> >> >> >> 4.Username retrieval with no verification >> >> When the user forget the username, the user can retrieve username with email >> address. However it is not sent to email but show in the site. >> >> The vulnerability test team think the hacker can get the username if they >> try many different combination of email. >> >> Is it possible xwiki only send the username by email instead of showing in >> the page ? > > Would be great if you could create an issue about that on > https://urldefense.proofpoint.com/v2/url?u=http-3A__jira.xwiki.org&d=DwIFaQ&c=apLCJo22jkVRpFivmRGGHnRn85FoLi_g9mEBSlVKwRY&r=QNivoJyva4O9yhvC1BEmYg&m=uFaDqull3pNGX-StE_2ElE0wnNGe3BEzVQu00tivu9I&s=fSyCzsIVtc3AYU8F-lv0ikk6KM3dVzMx0pMVE98UgD8&e=. > Looks easy to fix, just need to discuss if we > should do it or not. On my side I did not know we were displaying the > user id in this page and I agree that it's probably not a good idea. > >> >> >> >> >> 5. Password Validation is weak >> >> It seems xwiki allow weak password to register new user. >> >> Is it possible to use strong password only when new user registered in xwiki? > > It's possible to add a lot of constraint in the registration form. See > https://urldefense.proofpoint.com/v2/url?u=http-3A__extensions.xwiki.org_xwiki_bin_view_Extension_Administration-2520Application-23HValidationConstraints&d=DwIFaQ&c=apLCJo22jkVRpFivmRGGHnRn85FoLi_g9mEBSlVKwRY&r=QNivoJyva4O9yhvC1BEmYg&m=uFaDqull3pNGX-StE_2ElE0wnNGe3BEzVQu00tivu9I&s=cxiLjzu6zBI74zyoal-E3slNfY6uleDZ_-B0dLZgRLo&e=. > >> >> >> >> These are the all issue they addressed. >> >> Please let me know the answer. >> >> Thank you and have a good day >> >> Kwan Kim > > > > -- > Thomas Mortagne