[
https://issues.apache.org/jira/browse/JSPWIKI-645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12857206#action_12857206
]
Jürgen Weber commented on JSPWIKI-645:
--------------------------------------
So, there is a simple attack which completely circumvents ACL protection:
Just add a cronjob that wgets every minute a page with RecentChangesPlugin and
append to a log. You get *all* ACL protected content.
With some diff logic you can even restore the pages completely.
> RecentChanges plugin shows pages, for which the user has no access
> ------------------------------------------------------------------
>
> Key: JSPWIKI-645
> URL: https://issues.apache.org/jira/browse/JSPWIKI-645
> Project: JSPWiki
> Issue Type: Bug
> Components: Plugins
> Affects Versions: 2.8.3
> Environment: Windows xp, tomcat6
> Reporter: Gergely Kontra
> Priority: Minor
>
> Any user can include the text [{INSERT
> com.ecyrd.jspwiki.plugin.RecentChangesPlugin}] into a page, and see notes of
> page editings (and who and when edited) for those pages, which he/she could
> not even have the right to see.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
